Senior executives working in U.S.-based organizations are being targeted by a new phishing campaign that leverages a popular adversary-in-the-middle (AiTM) phishing toolkit named EvilProxy to conduct credential harvesting and account takeover attacks.
Menlo Security said the activity started in July 2023, primarily singling out banking and financial services, insurance, property management and real estate, and manufacturing sectors.
“The threat actors leveraged an open redirection vulnerability on the job search platform ‘indeed.com,’redirecting victims to malicious phishing pages impersonating Microsoft,” security researcher Ravisankar Ramprasad said in a report published last week.
EvilProxy, first documented by Resecurity in September 2022, functions as a reverse proxy that’s set up between the target and a legitimate login page to intercept credentials, two-factor authentication (2FA) codes, and session cookies to hijack accounts of interest.
The threat actors behind the AiTM phishing kit are tracked by Microsoft under the moniker Storm-0835 and are estimated to have hundreds of customers.
“These cyber criminals pay monthly license fees ranging from $200 to $1,000 USD and carry out daily phishing campaigns,” the tech giant said. “Because so many threat actors use these services, it is impractical to attribute campaigns to specific actors.”
In the latest set of attacks documented by Menlo Security, victims are sent phishing emails with a deceptive link pointing to Indeed, which, in turn, redirects the individual to an EvilProxy page to harvest the credentials entered.
This is accomplished by taking advantage of an open redirect flaw, which occurs when a failure to validate user input causes a vulnerable website to redirect users to arbitrary web pages, bypassing security guardrails.
“The subdomain ‘t.indeed.com’ is supplied with parameters to redirect the client to another target (example.com),” Ramprasad said.
“The parameters in the URL that follow the ‘?’ are a combination of parameters unique to indeed.com and the target parameter whose argument consists of the destination URL. Hence the user upon clicking the URL ends up getting redirected to example.com. In an actual attack, the user would be redirected to a phishing page.”
The development arrives as threat actors are leveraging Dropbox to create fake login pages with embedded URLs that, when clicked, redirect users to bogus sites that are designed to steal Microsoft account credentials as part of a business email compromise (BEC) scheme.
“It’s yet another example of how hackers are utilizing legitimate services in what we call BEC 3.0 attacks,” Check Point said. “These attacks are incredibly difficult to stop and identify, for both security services and end users.”
Microsoft, in its Digital Defense Report, noted how “threat actors are adapting their social engineering techniques and use of technology to carry out more sophisticated and costly BEC attacks” by abusing cloud-based infrastructure and exploiting trusted business relationships.
It also comes as the Police Service of Northern Ireland warned of an uptick in qishing emails, which involve sending an email with a PDF document or a PNG image file containing a QR code in an attempt to sidestep detection and trick victims into visiting malicious sites and credential harvesting pages.