EvilProxy Reverse-Proxy MFA Bypass Scam

INDIA — By BharatSecure Threat Intelligence Team ·

Verdict: Suspicious | Risk Score: 9/10 | Severity: critical

Category: UPI, Phishing, OTP

How EvilProxy Reverse-Proxy MFA Bypass Scam Works

Overview: The EvilProxy scam is a new-generation phishing attack targeting Indians who use high-value accounts like Microsoft, Google, and Facebook. Using a reverse-proxy technique, the scam seamlessly steals valid session cookies when you log in—effectively bypassing your two-factor or multi-factor authentication (MFA). This allows attackers to hijack your accounts even if you never hand over any code or password directly. How It Works: You receive an email or message that appears to be from your bank, email provider or workplace, urging you to log in urgently for some critical reason. The link leads to a convincing fake login page. However, this page acts as a reverse proxy—it relays everything you type to the real site, but also quietly saves your session cookie. Once you complete login (even with your OTP or biometric), the attacker grabs this cookie to sign-in as you without needing your device or password again. India Angle: These scams target Indians with accounts at big banks, IT companies, and government email addresses. Attackers market their services on Telegram channels and dark web forums, frequently using Indian branding and payment gateways for authenticity. Victims often reside in tier-1 and tier-2 cities, with focus on Bangalore, Hyderabad, and Mumbai. Real Examples: - "Important: Unusual sign-in detected on your Google account. Login to secure now: [fake link]" - "Your company admin requests urgent login for updated policy documents." - "Security alert: Someone tried to login to your Facebook account from New Delhi." Red Flags: 1. Login pages that look official but have strange URLs. 2. Websites asking for both password and OTP on the same page. 3. Very timely and urgent security warning emails. 4. Short windows to act ("reset in 10 minutes"). Protective Measures: - Always access your accounts by typing the official site address[ADDRESS_REDACTED]. - Verify email sender’s full address [ADDRESS_REDACTED]. - Use a trusted password manager with autofill—these usually fail on fake sites. - Never share your OTP with anyone. - If you get a security warning, check separately via official apps. If Victimised: - Log out everywhere from your account settings. - Change all critical passwords immediately. - Notify your company IT or support immediately. - Report the scam at 1930 and cybercrime.gov.in. Related Scams: - Cookie-capturing attacks against UPI apps - Session token phishing in banking portals - Phishing with fake pop-up windows for MFA bypass

How This Scam Works — Detailed Explanation

The EvilProxy Reverse-Proxy MFA Bypass Scam exploits the trust of users accessing their high-value accounts through popular platforms like Google, Microsoft, and Facebook. Scammers often begin by infiltrating victims' online connectivity spheres. They may leverage platforms like WhatsApp or email to spread malicious yet convincingly crafted phishing messages. These messages often appear to be from legitimate sources, prompting victims to take urgent action. For example, a victim might receive a message claiming unusual activity on their Google account, compelling them to follow a provided link to 'secure' their account.

Once unsuspecting victims click on these links, they are directed to a lookalike login page designed to mimic the actual site. The carefully replicated interface increases the chances that victims will enter their credentials, including passwords and OTPs. The deception escalates because this phishing site not only captures these details in real-time but also uses a reverse-proxy method to access and steal valid session cookies. This means that even if the victims have set up multi-factor authentication (MFA), attackers can bypass these security measures since they possess an active session, all without having to request sensitive codes directly from the victim.

For instance, a victim who fell prey to this scam may click on a fake security alert for their bank account. They are taken to a counterfeit SBI login page and instructed to enter their user ID and password. Once they submit their credentials, the scammer captures the authentication details, and moments later, if the victim receives an OTP via SMS to their mobile number, unsuspecting victims sometimes mistakenly input this as well under pressure, thinking it's essential for security. This complete handover of information enables scammers to access the victim's actual accounts - potentially leading to theft of significant funds through UPI transactions or linking the stolen credentials to further accounts.

The impact of the EvilProxy scam is increasingly worrying, with various reports showing that cyber fraud in India jumped to ₹53,000 crore in the last financial year alone. The Ministry of Home Affairs and the RBI have ramped up guidelines and advisories regarding online security as perpetrators exploit these sophisticated techniques. CERT-In frequently issues alerts regarding evolving scams, emphasizing the need for users to stay informed and vigilant.

As this scam becomes ubiquitous, users must understand how to distinguish between legitimate communications and these fraudulent attempts. Encourage scrutiny over any unexpected email or message claims about security alerts. Look for any discrepancies in URLs or request patterns—official communications will never ask for your password, PIN, or OTP through unsecured channels. If you encounter a situation that seems suspicious, trust your instincts and verify through trusted channels before acting.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does EvilProxy Reverse-Proxy MFA Bypass Scam Target?

General public across India

Red Flags — How to Identify EvilProxy Reverse-Proxy MFA Bypass Scam

  • Lookalike login sites with unofficial URLs
  • Combined password and OTP requests on unfamiliar pages
  • High-pressure, time-limited security warnings
  • Requests to act urgently after receiving a security alert

What To Do If You Encounter EvilProxy Reverse-Proxy MFA Bypass Scam

  1. Report the incident immediately by calling the cybercrime helpline at 1930 or visit cybercrime.gov.in.
  2. Notify your bank's customer service, like SBI at 1800-11-1109 or HDFC at 1800-202-6161, if you suspect any unauthorized access.
  3. Change your passwords immediately for all affected accounts, ensuring they are strong and unique.
  4. Enable additional layers of security, such as biometric verification or security questions, across your accounts.
  5. Monitor your bank and UPI transaction history closely for any suspicious activity.
  6. Educate yourself about identifying phishing scams and share this information within your community.

How to Report EvilProxy Reverse-Proxy MFA Bypass Scam in India

  • Call 1930 — National Cyber Crime Helpline (24x7)
  • File a complaint at cybercrime.gov.in
  • Contact your bank immediately if money was lost
  • Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What to do if I shared my OTP in a UPI scam?
Immediately notify your bank's customer care by calling the helpline numbers like SBI at 1800-11-1109 or HDFC at 1800-202-6161. Additionally, report the incident to the cybercrime helpline at 1930.
How can I identify the EvilProxy scam?
Look for unofficial URLs and combined requests for your password and OTP on unfamiliar pages—these are major red flags that identify this scam.
How to report this type of scam in India?
Report to the cybercrime helpline at 1930, visit cybercrime.gov.in, and also inform your bank about any fraudulent activity or phishing attempts.
How can I recover money or protect accounts after this scam?
Contact your bank immediately to block or freeze your accounts, change your passwords, and enable additional security measures. Monitor your accounts for unusual activity and report everything to the relevant authorities.

Related Scams in India

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.