网络犯罪分子使用EvilProxy网络钓鱼工具瞄准美国公司高管

Senior executives working in U.S.-based organizations are being targeted by a new phishing campaign that leverages a popular adversary-in-the-middle (AiTM) phishing toolkit named EvilProxy to conduct credential harvesting and account takeover attacks.

美国机构的高级管理人员正成为一个新的网络钓鱼活动的目标，该活动利用了一种名为EvilProxy的常用中间人（AiTM）网络钓鱼工具包进行凭据窃取和账户接管攻击。

Menlo Security said the activity started in July 2023, primarily singling out banking and financial services, insurance, property management and real estate, and manufacturing sectors.

Menlo Security表示，这一活动始于2023年7月，主要针对银行和金融服务、保险、物业管理和房地产以及制造业等领域。

"The threat actors leveraged an open redirection vulnerability on the job search platform 'indeed.com,'redirecting victims to malicious phishing pages impersonating Microsoft," security researcher Ravisankar Ramprasad said in a report published last week.

安全研究员Ravisankar Ramprasad在上周发布的一份报告中表示：“威胁行动者利用了职位搜索平台'indeed.com'上的一个开放重定向漏洞，将受害者重定向到冒充Microsoft的恶意网络钓鱼页面。”

EvilProxy, first documented by Resecurity in September 2022, functions as a reverse proxy that's set up between the target and a legitimate login page to intercept credentials, two-factor authentication (2FA) codes, and session cookies to hijack accounts of interest.

EvilProxy，首次由Resecurity于2022年9月记录，作为一个反向代理，设置在目标和合法登录页面之间，以截取凭据、双因素身份验证（2FA）代码和会话Cookie，以劫持感兴趣的账户。

The threat actors behind the AiTM phishing kit are tracked by Microsoft under the moniker Storm-0835 and are estimated to have hundreds of customers.

AiTM网络钓鱼工具背后的威胁行动者由Microsoft跟踪，被称为Storm-0835，估计有数百名客户。

"These cyber criminals pay monthly license fees ranging from $200 to $1,000 USD and carry out daily phishing campaigns," the tech giant said. "Because so many threat actors use these services, it is impractical to attribute campaigns to specific actors."

这些网络犯罪分子支付每月200美元至1000美元不等的许可费，并进行每日网络钓鱼活动。由于有如此多的威胁行动者使用这些服务，将活动归因于特定行动者是不切实际的。

In the latest set of attacks documented by Menlo Security, victims are sent phishing emails with a deceptive link pointing to Indeed, which, in turn, redirects the individual to an EvilProxy page to harvest the credentials entered.

在Menlo Security记录的最新一轮攻击中，受害者会收到带有欺骗性链接的网络钓鱼邮件，链接指向Indeed，然后将个人重定向到一个EvilProxy页面，以窃取输入的凭据。

This is accomplished by taking advantage of an open redirect flaw, which occurs when a failure to validate user input causes a vulnerable website to redirect users to arbitrary web pages, bypassing security guardrails.

这是通过利用开放重定向漏洞完成的，当未验证用户输入导致易受攻击的网站将用户重定向到任意网页时，绕过了安全防护。

"The subdomain 't.indeed.com' is supplied with parameters to redirect the client to another target (example.com)," Ramprasad said.

“t.indeed.com”子域名提供了将客户重定向到另一个目标（example.com）的参数。

"The parameters in the URL that follow the '?' are a combination of parameters unique to indeed.com and the target parameter whose argument consists of the destination URL. Hence the user upon clicking the URL ends up getting redirected to example.com. In an actual attack, the user would be redirected to a phishing page."

URL中跟随“？”的参数是indeed.com特有的一组参数和目标参数，其参数由目标URL组成。因此，用户在点击URL后最终会被重定向到一个网络钓鱼页面。

The development arrives as threat actors are leveraging Dropbox to create fake login pages with embedded URLs that, when clicked, redirect users to bogus sites that are designed to steal Microsoft account credentials as part of a business email compromise (BEC) scheme.

这一发展发生在威胁行动者正在利用Dropbox创建带有嵌入式URL的假登录页面的情况下，当用户点击时，会将用户重定向到旨在窃取Microsoft账户凭据的伪造网站，这是商业电子邮件妥协（BEC）计划的一部分。

"It's yet another example of how hackers are utilizing legitimate services in what we call BEC 3.0 attacks," Check Point said. "These attacks are incredibly difficult to stop and identify, for both security services and end users."

“这是又一个例子，说明黑客正在利用我们所称的BEC 3.0攻击中的合法服务，” Check Point表示。“这些攻击对于安全服务和最终用户来说都非常难以阻止和识别。”

Microsoft, in its Digital Defense Report, noted how "threat actors are adapting their social engineering techniques and use of technology to carry out more sophisticated and costly BEC attacks" by abusing cloud-based infrastructure and exploiting trusted business relationships.

在数字防御报告中，微软指出，“威胁行动者正在调整其社会工程技术和技术使用，以执行更复杂和成本更高的BEC攻击”，并滥用基于云的基础设施和利用受信任的业务关系。

It also comes as the Police Service of Northern Ireland warned of an uptick in qishing emails, which involve sending an email with a PDF document or a PNG image file containing a QR code in an attempt to sidestep detection and trick victims into visiting malicious sites and credential harvesting pages.

与此同时，北爱尔兰警察服务警告说，威胁行动者正在利用Dropbox创建带有嵌入式URL的假登录页面，当用户点击时，会将用户重定向到旨在窃取Microsoft账户凭据的伪造网站，作为商业电子邮件妥协（BEC）计划的一部分。

原文始发于微信公众号（知机安全）：网络犯罪分子使用EvilProxy网络钓鱼工具瞄准美国公司高管