One of the biggest challenges for cybercriminals is how to best multifactor authentication (MFA). New research has uncovered a criminal service called “EvilProxy” that steals session cookies to bypass MFA and compromise accounts.
EvilProxy appeared in early May and has been used in attacks “against multiple employees from Fortune 500 companies,” says Gene Yoo, CEO of Resecurity, a Los Angeles-based security consultancy. It undermines MFA, which is considered the gold standard for protecting accounts from takeover, he says.
EvilProxy uses a technique called session hijacking that’s been employed before by nation states and cyberespionage groups. The attack involves stealing a session cookie. A session cookie is a bit of information stored by the web browser that lets a particular service know someone is authenticated.
EvilProxy is already being successfully used against users of services including Apple, Microsoft, GitHub. It can also be configured to target other services including Google, Apple’s iCloud, Dropbox, LinkedIn, Yandex, Facebook, Twitter, Yahoo, WordPress. It’s also capable of targeting users of services that are players in the software supply chain, including GitHub, the Python Package Index, RubyGems and NPM, a JavaScript package manager.
