SlashNext has warned of a new phishing kit that makes it easier for cybercriminals to launch believable attacks. The FishXProxy Phishing Kit provides a wide range of tools. Surprisingly, it has taken advantage of Cloudflare and integrated it with many of its services.
A blog on the SlashNext website details FishXProxy. The unattributed blog states, “With its array of advanced features, FishXProxy dismantles the technical barriers traditionally associated with phishing campaigns, making it alarmingly simple for attackers to deceive and exploit unsuspecting victims.”
What makes FishXProxy dangerous?
Security teams will be worried about everything about FishXProxy, not just its integration with Cloudflare. SlashNext has posted a page from the FishXProxy marketing email (see below). The malware designers list it as the “#1 most powerful reverse proxy for phishing.” It lists a large number of supported platforms and 19 key features.
As can be seen, those 19 key features include traffic encryption, Cloudflare integration, unlimited subdomains, random domain generation, and support for zero trust. The creators are so confident in their product that they claim excellent support. They also promise buyers that they will get lifetime updates.
SlashNext points out FishXProxy’s ability to hide its true location, saying, “A clever redirection system obscures true destinations, while page expiration settings hinder analysis and aid campaign management. Even if one attack fails, cross-project tracking allows attackers to persistently target victims across multiple campaigns. This sophisticated approach presents a significant challenge to traditional security measures.”
Antibot System
SlashNext also mentions FishXProxy’s evasion capabilities and multi-layered antibot system, which it says “is designed to prevent automated scanners, security researchers, and potential victims from detecting the phishing nature of sites created with the kit.”
The screen makes it easy to see and add/remove the settings. Where a setting, such as Cloud Turnstile, requires additional settings, it tells the user what is needed to use it. Using CAPTCHA and other systems means that anyone who lands on the phishing page has taken several steps. As a result, it increases the conversation rate of each click.
Cloudflare Integration
The Cloudflare integration will raise the most eyebrows of all the features in this phishing toolkit. The researchers point out just how effectively FishXProxy is exploiting the CDN. Interestingly, Cloudflare has not responded to how it plans to deal with this.
Among the features exploited are Cloudflare Workers, which deploy phishing logic to Cloudflare’s edge network. The Cloudflare Turnstile is part of the Antibot System.
The phishing kit also obtains SSL Certificates through Cloudflare, which raises a serious question for both Google and Cloudflare. Google has recently said it will block Entrust Certificates in Chrome from November 2024. Will it now look to block certificates obtained through Cloudflare due to the risk from those issued to FishXProxy?
Enterprise Times: What does it mean?
FishXProxy developers’ claim that it is the #1 most powerful reverse proxy for phishing, appears to be no idle boast. The features it includes and its ease of use make it easy for cybercriminals to create phishing campaigns.
What is not clear is where the developers are located. SlashNext has chosen not to attribute the developers to any group or nation-state. It is a sensible move. Most attributions are, at best, guesses and given how new this phishing kit is, there isn’t much to identify the group. That will come later.
For now, the attention has to be on countering the threat and working out how to identify attacks. It will be interesting to see what information Cloudflare can provide to help identify SSL Certificates and instances of malware on its edge network.