Security researchers at Okta have published a detailed analysis of a new phishing-as-a-service (PhaaS) operation, which has been dubbed VoidProxy.
VoidProxy offers oven-ready phishing kits requiring no technical expertise to send out hundreds or even thousands of phishing emails.
The phishing kits are designed to not only steal credentials, but to intercept MFA codes and session tokens. This is known as an ‘Adversary-in-the-Middle’ (AitM) campaign.
Okta’s analysis found that traditional one-time codes sent via SMS or authenticator apps could be stolen and replayed by the platform.
However, phishing-resistant authenticators, such as FIDO2 security keys, were able to successfully block VoidProxy attempts.
“VoidProxy is a sophisticated and highly evasive Phishing-as-a-Service (PhaaS) platform that bypasses MFA using Adversary-in-the-Middle (AiTM) techniques and has been targeting multiple industries globally,” said Okta Senior Identity Security Engineer Houssem Eddine Bordjiba on Linkedin.
How VoidProxy works
PhaaS groups like VoidProxy typically offer paid subscription services. Key features usually include the ability to evade spam filters and high levels of email deliverability.
Okta first detected VoidProxy’s campaigns inside customer environments where Okta’s software can detect and alert on phishing attacks.
VoidProxy’s phishing emails use compromised accounts of legitimate email service providers like Constant Contact, NotifyVisitors and Active Campaign, which mean they are more likely to bypass spam filters.
They use low cost domains, such as .home and .zyz which can be easily rotated if they are blacklisted. The sites sit behind Cloudflare which hides their IP address and makes it difficult to take down the malicious host.
When a user clicks the malicious link in the email, the user is first presented with a CAPTCHA challenge to determine if the request is from a human or not. Then the user is directed to a phishing page that looks identical to a real Microsoft or Google login page.
The data is then sent to VoidProxy’s AitM proxy server, which captures and relays information to legitimate Microsoft services.
“The server acts as a reverse proxy to capture and relay information — including usernames, passwords, and MFA responses — to legitimate services like Microsoft, Google, and Okta,” Okta said.
“When the legitimate service validates the authentication and issues a session cookie, the VoidProxy proxy server intercepts it. A copy of the cookie is exfiltrated and made available to the attacker via their admin panel. The attacker is now in possession of a valid session cookie and can access the victim’s account.”
Users who had phishing resistant authentication in place, like Okta’s FastPass solution, were protected from the attack, as they were unable to share their credentials. These users were warned that accounts were under attack.
The Big Picture
Phishing-as-a-service has become a major threat in the cybersecurity space, with gangs like VoidProxy responsible for potentially millions of phishing emails and thousands of compromised credentials.
Just this week, Microsoft announced it had seriously disrupted a similar gang, RaccoonO365, who operated a very popular phishing kit service.
Organizations should seek to implement proactive security controls to stay protected against phishing campaigns.
Expert Insights recommends installing robust email security, user awareness training and user authentication as an effective first layer of defense against sophisticated phishing attacks.
