New EvilProxy Phishing Attack Uses Indeed.com Redirector to Target US Executives

We Keep you Connected

New EvilProxy Phishing Attack Uses Indeed.com Redirector to Target US Executives

New EvilProxy Phishing Attack Uses Indeed.com Redirector to Target US Executives
Your email has been sent
Microsoft, the Dark Web and the name John Malkovich all factor into this EvilProxy phishing attack. The good news is there are steps IT can take to mitigate this security threat.
A new EvilProxy phishing attack is leveraging an open redirection flaw from the legitimate Indeed.com job search site, according to a report from Menlo Security, a cloud-based security company. Menlo Security notes this phishing attack campaign targets C-suite employees and other key executives at U.S.-based organizations primarily in manufacturing, insurance, banking and financial services, property management and real estate.
Jump to:
EvilProxy is a phishing-as-a-service kit that has been around since at least September 2022. This kit allows an attacker to successfully bypass two-factor authentication by using a reverse proxy functionality. To achieve that operation, the EvilProxy service sets up a phishing website according to selected options before the kit is deployed on the internet. Once a user accesses the phishing page, they’re asked to provide their credentials and 2FA code. This information is used in real time by the kit to open a hijacked session on the legitimate service the attacker targets.
EvilProxy is being sold on the Dark Web as a subscription-based service with plans ranging from 10 to 31 days. Someone using the nickname John_Malkovich plays the role of administrator and intermediary assisting customers who have purchased the service, according to Menlo Security.
This new EvilProxy attack starts with a phishing email sent to targets. The email contains a link that abuses an open redirector from Indeed (Figure A).
Figure A
Redirectors are web links that might be used on legitimate websites for different reasons; however, redirectors need to be well implemented so they’re not abused. An open redirection is a redirection that can reroute the browser to any external domain.
In this attack, the threat actor takes advantage of a t.indeed.com subdomain, which is an open redirector when being provided with correct parameters:
https://t.indeed.com/r?parenttk=1ddp6896a2tsm800&target=https://youtube.com
Once the target clicks the link, they’re redirected to a fake Microsoft login page, which is provided by the EvilProxy kit. The unsuspecting target provides their credentials and 2FA code to the phishing page. On the server side, the kit uses those credentials and 2FA in real time to provide the attacker with a valid session cookie, which can be used to access the victim’s resources on the Microsoft website (Figure B).
Figure B
In addition to the redirection from Indeed.com, two other redirections follow, controlled by the attackers (Figure C).
Figure C
According to the researchers, the phishing pages are hosted on common URI paths that are often used by EvilProxy:
The phishing kit also uses Microsoft’s Ajax Content Delivery Network to help with dynamic fetching and rendering of JavaScript content.
An HTTP POST request contains the victim’s base64-encoded email address and a session identifier, which is also typical of the EvilProxy phishing kit. The FingerprintJS library is also used for browser fingerprinting.
Researcher Ravisankar Ramprasad explains that IP addresses running on NGINX servers replying with a “407 Proxy Authentication Required” are also indications of EvilProxy, as well as sites with 444 status code with subdomains such as lmo., auth., live., login-live. and mso.
In addition to manufacturing, insurance providers, banking and financial services, property management and real estate, other impacted sectors in decreasing order are electronic components manufacturing, pharmaceuticals, healthcare and construction. Approximately 3% of the targets are in other sectors that include software, business consulting, accounting, supply chain management and logistics (Figure D).
Figure D
Service providers and websites shouldn’t allow redirections without proper control and sanitizing of the parameters provided to the redirector. Most redirectors should be configured to only allow internal links. If a website does need a redirection to an external link, additional security measures, such as using whitelists of external domains, must be deployed.
Employees should be trained to detect phishing email and malicious links that might be contained in them. In case of doubt, employees must have an easy way, possibly via a clickable button in their email client, to report a suspicious email to the IT security staff for further analysis. In addition, email security solutions must be deployed to detect phishing or malware infection attempts.
All operating systems and software should always be up to date and patched to avoid being compromised by a common vulnerability.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
New EvilProxy Phishing Attack Uses Indeed.com Redirector to Target US Executives
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Microsoft is also running a grant competition for ideas on using AI training in community building.
Generative AI will be a game changer in cloud security, especially in common pain points like preventing threats, reducing toil from repetitive tasks, and bridging the cybersecurity talent gap.
Does your business need a payroll provider that offers international payroll services? Use our buyer’s guide to review the best solutions, from ADP to Oyster.
Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively.
Looking for an alternative to monday.com? Our comprehensive list covers the best monday alternatives, their key features, pricing, pros, cons and more.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
A strong, well-focused resume is essential for showcasing your knowledge and expertise. This template from TechRepublic Premium will help ensure that you include the most relevant aspects of your work history and accomplishments so that prospective employers will recognize the value you can bring to their projects. Here are some dos and don’ts shared by …
Given the ever-increasing importance of data, it’s no wonder that hard drive problems can produce fear and panic, especially if you haven’t conducted a recent backup. Hard drive recovery is a much more pleasant undertaking if you have steady and consistent backups to rely on during the process. Luckily, disk problems don’t necessarily mean the …
Pay attention class! Educational technology is helping learners and teachers around the world. Edtech encompasses a wide range of opportunities, from using electronic gadgets (e.g., laptops and tablets) in a conventional classroom setting for note-taking to making online courses accessible. TechRepublic Premium presents this quick glossary of 68 edtech terms and concepts to help your …
Installation of unauthorized computer programs and software, including files downloaded and accessed on the internet, can easily and quickly introduce unnecessary clutter, system instability or unreliability, and serious security vulnerabilities, all of which might require lengthy support remediation and lead to wasted productivity. This policy from TechRepublic Premium can be used to establish guidelines for …

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE