EvilProxy has just hit the news; it’s nothing so new but has been commercialised which means that phishing hits new levels. Imagine this scenario…..
The scammer invests a small amount (around $400) and sets up a campaign. This would likely involve sending some phishing emails to targets with a view to stealing their credentials – 2nd factor included.
The links could look something like this:
hxxps://ebanking.yourbank.com.992E84C71C8E5AA8288F35F20AF0BB38BDAEA8D9596AC8B37606DA89961945E3.attackerdomain.com/something/else/here
That page would proxy components from hxxps://ebanking.yourbank.com and you would think you’re at the site. You enter your username and password here plus your one-time password or code and you log in. You notice nothing, you’re logged in to the site.
But your credentials have been acquired. Oh dear.
Steve Gibson explains it here for you.
The research has been done by Resecurity who released a report here.
By my estimation, even Out-of-Bounds authentication might be bypassed here – remember the attackers will have a live session to hook into as well as username and password to use; I certainly know that banks are checking for changing IP addresses for logged-in banking sessions – but if the scammers also use the proxy to log into the bank, all bets could be off.
This should be worrying and you can expect attacks to target banks, email accounts, social accounts and other high value targets – even if they use a second factor.
Watch this space, I am sure there will be more news in the near future…