EvilProxy Phishing Attack Strikes Indeed, Targets Executives

Written by

A new EvilProxy phishing attack has taken aim at the job search platform Indeed while focusing on executives in various industries. 

Menlo Labs, a cybersecurity research team, brought this discovery to light in an advisory published on Tuesday, where they unraveled the intricate workings of a campaign that began in July and persisted into August 2023. 

This sophisticated attack leveraged the phishing kit known as EvilProxy, which functions as a reverse proxy, enabling it to intercept requests between users and legitimate websites.

Notably, EvilProxy showcased the ability to harvest session cookies, rendering it capable of bypassing multi-factor authentication (MFA).

The primary target of this malicious campaign appeared to be organizations based in the United States, with the attackers cunningly exploiting an open redirection vulnerability on Indeed.com. 

The research revealed a particular focus on executives, especially those in the C-suite, within sectors such as banking and financial services, insurance providers, property management and real estate, and manufacturing. 

The attacker's infection vector involved phishing emails equipped with deceitful links. Upon clicking these links, victims were directed to counterfeit Microsoft Online login pages. The research was conducted by analyzing data gathered from URLScan, Phishtank and VirusTotal feeds.

The revelation underscores the grave threat posed by open redirection vulnerabilities, where users are lured into believing they are being directed to trusted sources like Indeed.com, only to find themselves on phishing pages. 

EvilProxy, acting as a reverse proxy, played a pivotal role in the attack chain, enabling threat actors to pilfer session cookies and effectively bypass MFA.

How to Stop EvilProxy Phishing Attacks

In response to these findings, Menlo Labs recommends taking several protective measures, including:

  1. User Education: Raising awareness and training users to recognize phishing threats.

  2. Phishing-Resistant MFA: Implementing phishing-resistant Multi-Factor Authentication (MFA) solutions, such as FIDO-based authentication.

  3. Verification of Target URLs: Ensuring the legitimacy of target URLs rather than assuming their safety.

  4. Real-Time Protection: Deploying real-time protection solutions to guard against zero-hour phishing attacks.

Additionally, Menlo Labs acted responsibly by disclosing the open redirect vulnerability to Indeed.com, highlighting the severe implications of this threat to facilitate prompt mitigation.

Read more on EvilProxy attacks: EvilProxy Campaign Fires Out 120,000 Phishing Emails

Image credit: dennizn / Shutterstock.com

What’s hot on Infosecurity Magazine?