New Security Threat – EvilProxy

Survival in businesses can be difficult.  In addition to a slowing economy and supply chain issues in 2020 – 2021, data breaches at small businesses soared 152%.  Cyberattacks leave people feeling helpless, frustrated, and overwhelmed by the magnitude of all they are up against.  So how does a small business protect themselves from a data breach? The best solution is to teach your employees about cybersecurity.  Ongoing and consistent training is the key to minimizing your risk.  However, even the best trained employees could fall for this latest scheme called Evilproxy.  It takes a keen eye and a solid understanding of what’s happening to be able to spot it.

 

What is it?

EvilProxy is a new Phishing-as-a-Service platform that allows hackers to bypass 2FA or Two Factor authentication on services like Microsoft, Google, Facebook, Twitter, etc. There’s a lot of technical jargon to work through on this one.  In order to understand what’s happening you have to understand the pieces that go into this cyberattack. 

  • Phishing schemes trick users into providing sensitive information that can be sold or used maliciously. Sometimes they are easy to spot and sometimes they aren’t.  If you need help figuring out how to spot a phishing scheme, check out our blog about  here.
  • Multifactor authentication is an added layer of protection that you use with your logins in order to prove that the person accessing the information is you. You can read more about MFA on our blog.  Applications typically authenticate that your device ok to access your information for a certain amount of time. Once that time is up, you need to reauthenticate.
  • Proxies are intermediaries that are typically used to enhance or secure your online experience. They are used to protect your device from malicious things online and are generally good.   However, in this case they are being used maliciously to trick users into giving up their login credentials and more.

Why the concern?

Since this is a Phishing As A Service (yes these things exist!), anyone who is willing to purchase a license has the ability to carry out cyberattacks.  This new malicious platform has the potential to enable even the most novice hacker.  What a game changer. EvilProxy drastically increases the threat spectrum.  It leverages technology that has been used for quite a while for good things.  But it uses it in a very malicious way.  It tricks the web server that a victim is trying to reach into thinking the criminal’s devices are trusted devices.  Because of the way the data is scraped, it gives the cyber thieves access to the victim’s information for the length of time that it takes the web server to request reauthentication.  If you have it set to never reauthenticate then there’s a big problem.

What does it look like?

EvilProxy scams are sent just like a normal phishing email.  In this instance, the scam will seem legitimate.  There will be a link that seems like it is coming from a trusted source.  When you click on the link, it takes you to a website that is spoofed to look like a legitimate page that requests your credentials.  Since it seems real, victims enter credentials and EvilProxy actually sends the victim to the expected website and uses the credentials that were just provided to log in. This includes any MFA information that was entered.

 

To make matters worse, once EvilProxy has access to application data, it keeps that access until the application requests reauthentication. Login reauthentication requests vary by application. It could be 30 days, 90 days or never. If you are a victim of EvilProxy, your data could be compromised for a long time before you know something is up.

 

What can you do?

If you receive an email with a link which prompts you for username and or password, verify it’s from a source you know and trust.  If it has come from someone you trust, verify the link is valid.  You can do this by right clicking on the email and reading where the link will direct you. Are you going to Gmail.com, spoofedsite-gmail.com or gmial.com?  If you are still unsure, call the sender.  A simple phone call can thwart most disguised threats.

If you fall for one of these schemes, don’t panic. Here are things you can do to help.

  • Change your password immediately. This will force reauthentication for every device that is logged in to your account and kick out unwanted guests.  Once the reauthentication request happens the hacker loses access to your data. 
  • Update the reauthentication time frame for your applications. While it may feel cumbersome to reenter your credentials and authenticate more frequently, the cost of a data breach far outweighs the inconvenience.
  •  Contact your IT team ASAP. Getting help with this issue can minimize the impact that the data breach has on your organization or your personal info.

Need help?

If reading over this seems confusing or overwhelming, it’s ok to ask for help. IT Enabled is a managed IT service provider. We help organizations with 5-500 employees tackle technology issues by providing comprehensive IT including network and tech support, such as computer, laptop and server support, cybersecurity, disaster recovery options and business phone systems. Our business is keeping you focused on your business.