A new Phishing-as-a-Service (PaaS) platform that uses reverse proxy technology has emerged that promises to steal authentication tokens to bypass multi-factor authentication (MFA). The service currently supports stealing tokens for services on Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and PyPI.

The reverse proxy that EvilProxy utilizes sits between the targeted victim and the legitimate authentication endpoint of the targeted service. When the victim accesses the phishing page, the reverse proxy displays the legitimate login form of the service. When the user enters their credentials into it, it forwards the request to the actual platform’s server for authentication, which in turn returns the platform’s MFA request. The user receives the MFA request and completes it, which is then forwarded by the reverse proxy to the platform’s server. Once MFA has been completed, the platform’s server returns the session cookie containing the authentication token back to the user. Since the reverse proxy is intercepting and forwarding all requests, the malicious proxy also receives the session cookie which allows the threat actor to steal it and use it to log into the site as the user. This method bypasses MFA as the threat actor can steal an already generated and active authentication token for the platform in question.

While reverse proxies used to bypass MFA are not new, EvilProxy’s service has been created in such a way to be far simpler to use than many of the other phishing frameworks that support this method. EvilProxy offers an easy-to-use GUI and detailed instructional videos and tutorials which allows more low-skill threat actors to steal authentication tokens for well-protected accounts.