Okta’s Threat Intelligence security researchers have discovered and analysed what they say is an advanced multi-factor authentication (MFA) bypassing phishing platform, and which lowers the technical barriers for entry.
Admin login page for VoidProxy
VoidProxy
Targeting Microsoft and Google accounts, the phishing-as-a-service (PhaaS) platform, named VoidProxy, can circumvent MFA methods such as short messaging service (SMS) codes, and one-time passwords (OTPs), Okta said.
VoidProxy uses Adversary in the Middle (AitM) phishing with emails sent from legitimate providers, but from compromised accounts.
The phishing sites are hosted on low-cost top level domains such as .icu, .sbs, .cfd, .xyz, .top, and .home, Okta researcher Houssem Eddine Bordjiba said, and serve content from behind the Cloudflare reverse proxy provider to hide their actual Internet Protocol addresses.
Evasion techniques such as multiple redirections before the targeted victim lands on the replica of the Microsoft and Google login portals are employed; VoidProxy uses CloudFlare CAPTCHA to ensure only human users click through the phishing attack flow, rather than automated scanners.
The PhaaS kit is also set up to use Cloudflare’s lightweight programmable proxy endpoints, Workers, to further hide the VoidProxy infrastructure beneath another layer.
Using CloudFlare Workers to inspect incoming traffic also makes it harder for security analysts to get through to the real phishing site, and dynamically block them if the VoidProxy kit detects suspicious patterns.
Once a user has been tricked into supplying their credentials, users that have been federated and set up to use single sign-on (SSO) through are redirect to secod-stage landing pages, whereas VoidProxy sends non-federated directly to Microsoft and Google servers.
At the final stage of the attack, the PhaaS affiliate deploying the VoidProxy attack steals session cookies through an AitM reverse proxy running via ephemeral infrastructure with dynamic domain name services (DNS), after users have authenticated with legitimate services.
VoidProxy has an administrative panel for PhaaS users, providing them with detailed information about their phishing campaign efforts.
“This… phishing infrastructure is fairly advanced both in terms of MFA bypass capabilities and the way in which it was concealed from analysis until now,” Okta Threat Intelligence vice president Brett Winterford said.
Okta said phishing resistant authenticators such as passkeys and hardware security keys, as well as smart cards, stopped the credentials sharing by users, or signing in via the VoidProxy infrastructure.
The identity management vendor also suggested access restrictions, and training users to recognise suspicious emails, phishing sites and common social engineering tactics uses by attackers, and to make it easy to report these.
Multiple MFA bypassing phishing platforms have emerged over the past few years, such as the EvilProxy kit with a graphical user interface from 2022, and the newer Salty2FA PhaaS platform that was discovered this year.
Source link
