WARNING: A Cookie Monster can trick multi-factor authentication

Cookie Monster

There is a new breed of cookie monster on the loose. It is neither cute nor friendly, much like the blue creature from Sesame Street. It roams the internet to steal session cookies and gain access to your account. If it breaches your account, it can cause financial or corporate havoc. It’s also available as a subscription service called EvilProxy for cybercriminals who want to bypass multifactor authentication (MFA).

Multifactor authentication has been praised by banks, tech giants, and cybersecurity companies for years as a powerful barrier to identity theft and illegal access to online accounts. Microsoft claimed that MFA could block 99.9% automated attacks. Google, however, reported that just the deployment of the lowest-tier MFA variant (two factor authentication, 2FA ) decreased account compromises by 50%.

Unfortunately, the arms race between cybersecurity defenders and attackers is rarely a win-win situation. Cybercriminals are also increasing their arsenals while IT security companies are strengthening their defenses. EvilProxy is one such tool. It steals and repurposes the valid session cookies of authorised users to undermine multifactor authentication. EvilProxy is able to trick websites and online applications into thinking that cybercriminals have been authenticated. This opens the door for cyber chaos.

These are the key takeaways from this disturbing news: MFA is a best practice and is a reliable security measure. However, it is not bulletproof. Cybercriminals will continue to try to sidestep advancements in cybersecurity. EvilProxy (also known as Moloch in some circles) represents the market version (i.e., phishing-as-a-service) of a powerful cyber-espionage tool primarily used by state-sanctioned actors Phishing, even in its most advanced forms like EvilProxy, always targets vulnerabilities of human beings to succeed. To fight EvilProxy, you must maintain vigilance and be aware of IT security.


  • Cookies are small pieces of data that are stored in the cache of a web browser. They are used by websites and online apps for various purposes, such as navigational aid and enhancements to customer experience/site usability. Authentication/session cookies are created when a user successfully logs into an online resource such as a website or application.
  • Passing-the-cookie is the act of stealing session cookies – also known access tokens or authentication cookies – and injecting them to a new session to fool the target website or application into believing that the hacker (the user in this instance) is legitimate.
  • Reverse proxy is a server placed in front of a website server. It intercepts client requests and ensures that the web server does not communicate directly with clients.


Back to basics: What is MFA?

Multi-factor authentication (MFA), a method of account security, requires that users prove their identity using multiple types (factors) of evidence. These factors could include:

  1. Users know something such as a pin or password.
  2. They own or control something, such as an ATM card (or a physical security code like Google’s Titan).
  3. A unique characteristic about a user (e.g. voice, fingerprints, face, retina scans, and other biometric data)
  4. A random generated code by the authentication mechanism that is sent to the request user only with a limited validity, such as OTPs (one time passwords) or session codes.
  5. This is information that confirms the user’s legal connection to a recognized entity (e.g. an organisation or business unit). It may include the user’s current location, use of a specific WiFi network or their use of it.

MFAs protect legitimate users’ identity, financial assets, and IP. Multi-factor authentication is considered to be the best in user account security. MFA should not be viewed as foolproof security. Pass-the-cookie malware, such as EvilProxy’s predecessors, have had alarming success bypassing MFA checkpoints.

How can EvilProxy bypass MFA

EvilProxy employs a combination common to cybercrime tactics to bypass multifactor authentication:

  1. Phishing
  2. Pass-the-cookie attack
  3. Man in the middle (MitM).
  4. Reverse proxy setup: malicious server hosting an espion website

An EvilProxy threat actor uses a sophisticated form phishing that was previously only used for state-sanctioned cyber spying activities. This phishing operation employs man-in the-middle (or pass-the–cookie) tactics. This is a reverse proxy setup that involves a malicious server hosting a spoofed website. The malicious server a) pretends to be the target online resource/website and b) places itself in the middle of the legitimate website/resource and its legitimate visitors.

These are the key steps that EvilProxy uses to undermine multifactor authentication’s security checks.

  1. Threat actors place their phishing tool (the proxy service and spoofed site) between legitimate users, and the target website/online app.
  2. The threat actors lead victims into the spoofed website which masquerades as the target online resource/application.
  3. Using reverse proxy communication, the spoofed site fetches and displays all relevant content from the real online resource/application, including login data capture fields.
  4. The user thinks they have accessed a legitimate website and provides login credentials for the fake site.
  5. The proxy server intercepts the encrypted login credentials and forwards them to the actual website/online resource.
  6. When the online resource’s MFA system validates the login, the session cookie is generated. This includes the password and passcode sent to the registered mobile device.
  7. Proxy server/phishing site intercepts and harvests session cookies.
  8. Threat actors create a separate session with the target website/online resource, and inject valid session cookies (regarding passes the cookie), to bypass MFA checks. Often, this is limited to 2FA.
  9. As a verified user, threat actors are now able to enter the target network and attack it. Financial theft is likely to occur if the target online resource happens to be a bank. Even worse results can be possible if the victim has network admin credentials.


What should you do to help your company combat EvilProxy

EvilProxy’s sophisticated tactics were previously limited to powerful, state-sponsored groups and entities capable of carrying out advanced persistent threat (APT), and cyber espionage operations. However, LA-based IT security firm Resecurity discovered that EvilProxy’s criminal gang offered it as a subscription on the dark internet (reportedly at US$400/month). This allows any bad actor to scale up their criminal hacking activities, causing significant financial and business damage.

These are ways that your organization can combat this emerging threat.

  1. The US Cybersecurity and Infrastructure Security Agency ( CISA) recommends that organisations provide IT Security Awareness Training to end-users. Bad actors are almost always able to launch breaches using social engineering and other phishing techniques that exploit human vulnerability. End-users should be warned against opening attachments to emails and clicking on suspicious links.
  2. Multifactor authentication should be enforced. Ensure that you use stronger MFA solutions, such as those based upon the FIDO2 framework, while avoiding obsolete MFA methods like push notifications, one-time passcodes, and SMS text messages. Adopt zero tolerance MFA configuration, especially for –
  1. “Fail open” or “re-enrollment”) scenarios
  2. Lock-out and time-out options for multiple unsuccessful login attempts
  3. Session cookies and/or access tokens have shorter expiry dates
  1. When it comes to software updates or patching, be careful.
  2. Inactive accounts should be disabled in all MFA systems and Active Directory.
  3. All account types must have strong and unique passwords
  4. Remind end-users that they should regularly clear their browser caches. Administrator tools can be used to reduce the validity of cookies.

Final Takeaway

MFA is a good option, but it’s not enough to protect you against all bad actors. This applies to all other security tools.

There will never be bulletproof protection for your network because threat actors constantly evolve to meet changes in technology. This reality is unacceptable. You must accept it and use the most current cybersecurity tools and best practices to adequately secure your organization.

Need guidance about how to set up your MFA system. Computer One security specialists can help reduce the risk of your company being hacked by EvilProxy or other cyber threats. Through best-in-class IT Security Awareness Training, we can help strengthen the weakest link of your security infrastructure.