Researchers have discovered a new Phishing-as-a-Service (PhaaS) called EvilProxy—advertised in dark web forums—that let threat actors bypass MFA.

EvilProxy eyes victims everywhere

Threat actors employ reverse proxy and cookie injection methods to circumvent 2FA.
  • EvilProxy has been initially identified in connection to attacks against Google and MSFT customers—who have MFA enabled on their accounts—through SMS or application tokens.
  • The threat actors aim to compromise consumer accounts belonging to Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, and Yandex.
  • They, moreover, conduct phishing attacks against PyPi, GitHub, and npmjs and target software developers and IT engineers to gain access to their repositories. The end goal is to hack downstream targets.

The phishing kit is available for $400 per month.

PhaaS details

The PhaaS is offered on a subscription basis. 
  • The service is represented in all dark web forums, including XSS, Exploit, and Breached.
  • The payment for the service is organized manually via an operator on Telegram.
  • Once the subscription funds are received, they get deposited to the account in the customer portal hosted in TOR.


The appearance of malicious services on the dark web is anticipated to result in a significant increase in cyberattacks targeting end users' identities. Services like EvilProxy that can bypass MFA, and are also cost-effective and offer scalability to threat actors, should be brought down immediately.
Cyware Publisher