EvilProxy Phishing Attack Targets Indeed | Cyware Hacker News

Recent research from Menlo Labs has uncovered a sophisticated phishing campaign aimed at executives employed across industries, such as banking, insurance, property management, real estate, and manufacturing. The U.S.-based organizations have been the primary targets.

Diving into details

The phishing campaign began in July and abused an open redirection vulnerability on the job search platform Indeed[.]com.
  • The campaign employed the EvilProxy phishing kit against potential targets.
  • The phishing pages masquerade as Microsoft, as part of the Adversary in the Middle (AiTM) phishing method.
  • This kit operates as a reverse proxy, standing between the client and the legitimate website, hence allowing it to harvest session cookies.
  • Such an action can bypass security measures like non-phishing-resistant MFA. 

Modus operandi

  • Phishing pages, deployed by EvilProxy, dynamically fetched content from legitimate login sites. 
  • Subsequently, the phisher could intercept server communications and steal session cookies, enabling them to impersonate victims and bypass MFA.

Why this matters

Open redirection vulnerability plays a critical role in this malicious scheme. Essentially, it’s when an application redirects users to an untrusted external domain. This flaw can exploit the trust users have in the original source, misleading them into believing they’re accessing a legitimate site when they are, in reality, being directed to a malicious one.

The bottom line

This campaign highlights the escalating threats that organizations face from threat actors due to the use of sophisticated tools and trusted platforms to hoodwink their targets. To mitigate such threats, it is recommended to educate employees through regular training sessions, implement robust security protocols, continuously monitor network traffic, and maintain updated threat intelligence to identify and counteract emerging threats.