CyberheistNews Vol 12 #37 [Eye Opener] The New Evil Proxy Phishing-as-a-Service Platform Beats MFA

Cyberheist News

CyberheistNews Vol 12 #37  |   September 13th, 2022

[Eye Opener] The New Evil Proxy Phishing-as-a-Service Platform Beats MFAStu Sjouwerman SACP

Researchers at Resecurity have discovered a new Phishing-as-a-Service (PhaaS) platform called "EvilProxy" that’s being offered on the dark web. EvilProxy is designed to target accounts on a variety of platforms, including Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo and Yandex.

Notably, EvilProxy has the ability to steal session cookies, which allows it to access accounts without needing a username, password or multifactor authentication (MFA) tokens.

"EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim's session," the researchers write. "Previously such methods have been seen in targeted campaigns of APT and cyberespionage groups, however now these methods have been successfully productized in EvilProxy which highlights the significance of growth in attacks against online-services and MFA authorization mechanisms....

"The reverse proxy concept is simple: the bad actors lead victims into a phishing page, use the reverse proxy to fetch all the legitimate content which the user expects including login pages - it sniffs their traffic as it passes through the proxy. This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords and/or 2FA tokens."

EvilProxy is being offered for $400 per month and requires customers to undergo a vetting process to prevent researchers from getting their hands on it. The kit also has extensive anti-analysis features.

Resecurity adds that the platform is also very easy to use, further lowering the bar for inexperienced attackers to carry out sophisticated phishing attacks.

"The portal of EvilProxy contains multiple tutorials and interactive videos regarding the use of the service and configuration tips," the researchers write. "Being frank – the bad actors did a great job in terms of the service usability, and configurability of new campaigns, traffic flows and data collection."

Blog post with links:

Request a PhishER Demo and Get Your Free 'Gone Phishin' Hat!

Phishing is still the No. 1 attack vector. Your users are exposed to malicious email daily. They can now report those to your Incident Response (IR) team. But how to best manage your user-reported messages?

Here is what the CIO of a 500-million-dollar financial services company said:

"An excellent, cost-effective way to handle phishing. We rely on PhishER heavily to detect, investigate, and remove phishing emails efficiently and effectively. It's an excellent tool for our SOC team members. The automation has been a life saver."

Find out how to cut through your IR-inbox noise and respond to the most dangerous threats more quickly and efficiently. See how you can meet critical SLAs within your organization to process and prioritize threats and legitimate emails.

To learn how, get your 30-minute demo of PhishER, the world's most popular Security Orchestration, Automation and Response (SOAR) platform. In this live one-on-one demo, we will show you how easy it is to identify and respond to email threats faster:

  • Cut through your Incident Response inbox noise and respond to the most dangerous threats much faster. Save hundreds of hours.
  • See how PhishML™ works, machine-learning that analyzes every message ingested into PhishER and makes your "Clean, Spam or Threat" prioritization process easier, faster, and more accurate
  • Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace.
  • NEW! Automatically flip malicious spear-phishing attacks into safe simulated phishing campaigns with PhishFlip.
  • Easy deployment of the Phish Alert Button into your user's email client or forwarding to a mailbox works too!

See for yourself how PhishER can help you identify and respond to email threats faster.


Offer expires September 30th.

To be entered into the Free Draw: US or Canada residents only (excluding Quebec). One gift per entrant. Free Draw date: 9/30/2022. Sorry, students and professors are not eligible to win. Terms and Conditions apply.

[VIDEO] Building a Security Culture With Behavior Design

Anyone who has run security awareness programs for a while knows that changing human behavior is not an easy task. And that sometimes the problem with awareness is that "awareness" alone does not automatically result in secure behavior.

Let's look at the challenge of building a security culture through the lens of behavior design. BJ Fogg's much-quoted behavior design model neatly outlines that behavior happens when three things come together at the same time: Motivation, Ability, and a Prompt which could be a reminder or a nudge to do the behavior.


Fogg's Behavior Model highlights three core motivators: Sensation, Anticipation and Belonging. Each of these has two sides: pleasure/pain, hope/fear, acceptance/rejection. These core motivators apply to everyone; they are central to the human experience.

Let's try to apply these to cybersecurity:

  • Tapping into people's emotions by using visually appealing content, engaging with humor and story-based techniques, and activating positive sensations.
  • Fear can be a powerful motivator too. Show what could happen when. But too much of it can result in apathy and needs to be underpinned with the notion that it is simple to defend.
  • Using the power of leadership or celebrity to tell stories and invoke a sense of belonging.
  • Making it personally relevant by providing information on how to protect kids or family members

Caveats: Humor is a great technique to grab people's attention, evoke positive emotions and help with memory retention. However, it has to be applied carefully and with a sensitivity to the audience's cultures, else it can backfire. Also, it shouldn't be used too much, as it could result in the audience not taking the core message seriously enough.


BJ Fogg says that training people is hard work, and most people resist learning new things. That's just how we are as humans: lazy. Give someone a tool or a resource that makes the behavior easier to do. A great example is a password manager. This is a tool that takes care of desired behavior and simplifies the complexity of having to remember multiple different passwords.


The concept of prompt has different names: cue, trigger, nudge, call to action, request, and so on, and they all have the purpose to remind and tell people to "do it now." A good example are the password strengths meters reminding people to come up with better passwords as and when they create them.

When designing an awareness campaign, it's important to consider where prompts may be used. For example, in-the-moment nudges, such as when users look at emails while on the go or when they are about to send a large file to someone externally.

When it is possible to combine the three elements of motivation, ability and prompts, changing behavior is a much more likely outcome than just spreading awareness content and hoping for a result.

Stay up to date on the rest of this evangelist series to help keep you and your users safe during Cybersecurity Awareness Month and beyond!

Blog post with links:

Combatting Rogue URL Tricks: Quickly Identify and Investigate the Latest Phishing Attacks

Everyone knows you shouldn't click phishy links. But are your end users prepared to quickly identify the trickiest tactics bad actors use before it's too late? Probably not.

Cybercriminals have moved beyond simple bait and switch domains. They're now employing a variety of advanced social engineering techniques, like sneaky rogue URLs, to entice your users into clicking and putting your network at risk.

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, for this webinar as he shows you how to become an expert phish finder. He'll dive deep into the latest techniques and defenses to share:

  • Real-life examples of advanced attacks using rogue digital certificates, homograph attacks and more
  • Safe forensic methods for examining URLs and other tactics for investigating phishy emails
  • Strategies for dissecting URLs on mobile without clicking
  • Simple ways you can train your users to scrutinize URLs and keep your network safe

Find out what you need to know to keep your network protected and safe from the latest phishing attacks and earn CPE for attending!

Date/Time: TOMORROW, September 14 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

REvil Springs Back to Life and Hits a Fortune 500 Company

The previously thought defunct cybercriminal gang appears to not only reopened for business but has re-established themselves as a major threat by touting 400 GB of stolen data.

Normally when a ransomware gang shuts down, we tend to assume they're just going dark to reinvent themselves as a new group. And when the gang is arrested and their assets confiscated, one assumes they're gone for good. But in the case of REvil, it appears that they are back for more… and are, unfortunately, off to a maliciously good start.

According to a recent twitter post from vx-underground, REvil is claiming responsibility for an attack on Midea Group, a $50 billion electrical manufacturer:

One of the screenshots captured by vx-underground shows a total of 373 GB of data stolen from Midea Group, putting this organization at risk of reputation damage, intellectual property theft, and more.

Historically, REvil has leveraged vulnerabilities, RDP, and phishing as initial attack vectors, making it imperative that organizations perform vulnerability management scans, lock down (or eliminate entirely) RDP, and implement security awareness training to reduce the risk of phishing attacks being successful.

Blog post with links and screenshots:

Striving for 100% Completion Rates: Getting Compliance on Your Compliance Training

You might think 100% completion rates on any employee training sounds too good to be true. But, getting compliance on your compliance training is possible!

Organizations have struggled for years with getting everyone to complete their required compliance training. This puts organizations at risk of more incidents occurring, fines or reputational damage if an employee is non-compliant.

Join John Just Ed.D., KnowBe4's Chief Learning Officer, as he shares best practices collected from working with numerous customers that are achieving 100% compliance completion rates with their training campaigns.

John will show you:

  • Common challenges including how to address a lack of buy-in from leadership
  • Why training content that fits your organization's culture is critical for success
  • Five best practices to get your organization closer to 100% completion rates

KnowBe4 has been using these tips to help customers and other e-learning companies run successful compliance training programs for years. Let us help you develop a stronger culture of compliance at your organization and earn CPE credit for attending!

Date/Time: TOMORROW, Wednesday, September 14 @ 1:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [INFOGRAPHIC] Ranked: The Top Cyberattacks Against Businesses:

PPS: [Great WSJ Budget Ammo]: "How Leaders Can Create a Cybersecure Workplace Culture":

Quotes of the Week  
"Each day is a new beginning, I know that the only way to live my life is to try to do what is right, to take the long view, to give of my best in all that the day brings..."
- Her Majesty Queen Elizabeth II (1926 - 2022)

"Giant leaps often start with small steps."
- Her Majesty Queen Elizabeth II (1926 - 2022)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Iranian Spear Phishing Operations

Researchers at Mandiant have outlined the activities of APT42, a threat actor associated with Iran's Islamic Revolutionary Guard Corps (IRGC)'s Intelligence Organization. The threat actor uses spear phishing to harvest victims' credentials.

"APT42 frequently targets corporate and personal email accounts through highly targeted spear-phishing campaigns with enhanced emphasis on building trust and rapport with the target before attempting to steal their credentials,"   the researchers write.

"Mandiant also has indications that the group leverages credential harvesting to collect Multi-Factor Authentication (MFA) codes to bypass authentication methods and has used compromised credentials to pursue access to the networks, devices, and accounts of employers, colleagues, and relatives of the initial victim." After compromising victims' accounts, APT42 exfiltrates information or installs malware.

"Active since at least 2015, APT42 is characterized by highly targeted spear phishing and surveillance operations against individuals and organizations of strategic interest to Iran," the researchers write.

Cyberespionage is a threat to companies and organizations of all kinds, not just to government agencies. Social engineering has been part of espionage tradecraft since long before cyberspace was even imagined, and now it's been transposed to this new domain. New-school security awareness training can enable your employees to thwart targeted social engineering attacks.

Mandiant has the story:

Spear Phishing Campaign Targets African Countries

Researchers at Check Point have discovered a spear phishing campaign dubbed "DangerousSavanna" that's targeting financial entities in at least five African countries.

The campaign has been running for at least two years, and has targeted orgs in Ivory Coast, Morocco, Cameroon, Senegal and Togo. The researchers believe the campaign is financially motivated. "DangerousSavanna targets medium or large finance-related enterprises which operate across multiple African countries," the researchers write.

"The companies that belong to these financial groups provide a wide range of banking products and services, and include not only banks but also insurance companies, microfinancing companies, financial holding companies, financial management companies, financial advisory services, etc.

"Despite the relatively low complexity of their tools, we observed the signs that might point out that the attackers managed to infect some of their targets. This was most likely due to the actors' persistent attempts at infiltration. If one infection chain didn't work out, they changed the attachment and the lure and tried targeting the same company again and again trying to find an entry point.

"With social engineering via spear-phishing, all it takes is one incautious click by an unsuspecting user. The phishing emails are written in French, the primary or official language of the targeted countries."


What KnowBe4 Customers Say

"I spoke a couple of days ago to James B. who is the security awareness manager at a customer.

"When I asked him about why he uses KnowBe4 he said that first and foremost the product is amazing and totally flexible to their needs. As an example, in October, they do a phishing competition where people opt in to receive more simulated phishing throughout the month and score points.

"He said this is only possible for them to do due to the smart groups feature - and it allows them to capture all the people who want to partake, set up the group and campaign and forget about it until the end of the month and just review the results.

"He was also extremely complimentary about our culture and team. He said Donne W. is his CSM and compared to others, she 'actually listens' and actively helps out. He also said that our evangelists are brilliant, particularly Anna, who they have had speak at some of their Africa events. He said she's an absolute rockstar and they feel lucky to be able to access her knowledge and expertise."

- Javvad Malik, KnowBe4 Lead Security Awareness Advocate

The 10 Interesting News Items This Week
  1. Ransomware, nation-state attacks top Federal Reserve's IT security concerns for banks:

  2. Feds claw back $30 million of cryptocurrency stolen by North Korean hackers:

  3. [Man Bites Dog] China Accuses NSA of Hacking Its Military Research University:

  4. Google: Former Conti cybercrime gang members now targeting Ukraine:

  5. Hackers Honeytrap Russian Troops Into Sharing Location, Base Bombed:

  6. Mysterious 'Worok' Group Launches Spy Effort With Obfuscated Code, Private Tools:

  7. U.S. Agencies Warn of 'Vice Society' Ransomware Gang Targeting Education Sector:

  8. Paralyzed French hospital fights cyber attack as hackers lower ransom demand:

  9. Mandiant links APT42 to Iranian 'terrorist org':

  10. Classified NATO documents stolen from Portugal, now sold on darkweb:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Cybersecurity Awareness Month 2022 Free Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews