VoidProxy, A Hacker Assistant, Enhances Microsoft and Google Accounts Upon Request
‘Multiple entities’ are victims of a new phishing-as-a-service operation that Okta has discovered.
Security experts have found that some attackers have successfully taken session tokens, multi-factor authentication codes, and user credentials in real time by targeting Microsoft and Google accounts with a new phishing service called VoidProxy.
The persistent attacks were discovered by Okta Threat Intelligence, which also informed The Register that VoidProxy is being used by a number of different criminals and cybercrime organizations. The business has published a thorough report outlining its conclusions.
In an email answer to The Register’s inquiries, the threat hunters stated, “We have observed the targeting of multiple industries across multiple geographies, each of which reflects the priorities of the individual customer” of the phishing-as-a-service operation.
We have been informed that the phishes target any Google and Microsoft accounts, regardless of the size of the company. The threat intelligence team also informed us that “we have observed high-confidence account takeovers in multiple entities,” even though Okta did not have a verified victim count. “By extension, we expect Microsoft and Google will have seen a larger number of ATO events, given that VoidProxy proxies non-federated users directly with Microsoft and Google servers.”
“We create robust defenses to protect users from these kinds of attacks, especially defenses against domain spoofing, phishing links, and compromised senders, because we frequently see new phishing campaigns like this pop up,” a Google representative told The Register. “As an effective defense against phishing, we also concur with the report’s recommendation that users implement passkeys.”
Google refused to respond to specific inquiries from The Register, such as the number of account takeovers it had witnessed. Microsoft chose not to respond.
Although Okta said that the attacks started in January, the researchers claimed to have connected these phishing attempts to dark web VoidProxy advertisements dating back to August 2024.
| “We have observed high-confidence account takeovers in multiple entities.” |
The threat intelligence team sent out an email stating, “The activity is ongoing,” “We are detecting new infrastructure and generating alerts for customers on a daily basis.”
The attacks operate as follows. First, using authentic, but compromised, email accounts belonging to companies like Constant Contact, ActiveCampaign (Postmark app), NotifyVisitors, and others, the thieves send phishing lures.
These emails contain a link to a malicious URL shortening service (such as TinyUrl), which repeatedly reroutes the recipient before they reach the initial phishing website. The phishing websites are housed behind Cloudflare, which conceals the true IP address and makes it more difficult for network defenders to take down the host, and are hosted on inexpensive domains like .icu, .sbs, .cfd, .xyz, .top, and .home.
The user is directed to the phishing website, which closely resembles the sign-in page for a Google or Microsoft account, after successfully completing a Cloudflare CAPTCHA challenge, which verifies that the victim is a human and not a bot. Additionally, accounts secured by third-party single sign-on (SSO) providers, such as Okta, are redirected by this service.
Attacker-in-the-Middle
The user enters their login information because the page appears to be entirely legitimate. However, this information is transferred to the attacker-in-the-middle (AiTM) proxy server of VoidProxy, where the AiTM attack is executed, rather than to their real Microsoft or Google account.
“It’s here that the sophisticated, multi-layered nature of VoidProxy comes into play,” according to the paper.
AiTM attacks occur when thieves surreptitiously place themselves between two parties, like a user and a website, in order to listen in on communications, alter data moving between them, or intercept banking and login information.
The main proxy server, which is housed on ephemeral infrastructure, intercepts and sends private data, including passwords, usernames, and MFA replies, to authentic Microsoft, Google, and Okta services during this phase of the assault. After verifying and authenticating the users’ information, these trustworthy services send out a session cookie, which the proxy server likewise intercepts.
“A copy of the cookie is exfiltrated and made available to the attacker via their admin panel,” according to the report. “The attacker is now in possession of a valid session cookie and can access the victim’s account.”
And through its phishing-as-a-service business, VoidProxy sells all of these characteristics to other crooks.
A dashboard for each campaign shows the number of credentials and cookies that have been taken daily, and customers (also known as thieves) are given access to a fully functional administrative panel that enables them to oversee and manage their phishing efforts. Maps of each nation that illustrate the number of victims are also used to display these campaigns and stolen data by region.
To prevent being a victim of VoidProxy attacks, Okta advises implementing phishing-resistance in policy, utilizing FIDO2 WebAuthn (passkeys and security keys), and signing up for robust authenticators like Okta FastPass.
Additionally, the authors of the paper urge industry partners, such as Google and Microsoft, “to continue promoting and standing up for industry standards like Interoperability Profile for Secure Identity in the Enterprise (IPSIE).”
“A consistent adherence to these standards could, for example, ensure impacted parties can sign a user out of both their device and all their browser apps in real-time whenever a user interacts with known malicious infrastructure,” the team behind threat intelligence told News4Hackers.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
A Bug in the Cursor AI Code Editor Allows Execution of Silent Code using Malevolent Repositories
About Author
English