Almost every penetration test starts with the finding of a low-hanging fruit powered by phishing techniques. This one (Evilginx) is capable of bypassing Google’s high-guarded security walls, but it doesn’t limit to work for other defenses.
How does Evilginx achieve it? Being an attack tool for setting up phishing pages: rather than displaying look-alike login page templates, Evilginx becomes a relay between the actual website and the phishing user.
The Phishing user interacts with the actual website, while Evilginx captures all the data that is transmitted between the two parties. As a man-in-the-middle, it captures not only usernames and passwords but also captures sent authentication tokens, such as cookies.
Captured authentication tokens allow the attacker to bypass any form of 2FA (two-factor authentication) enabled on the user’s account (except U2F, more on that later).
It doesn’t matter if 2FA is using SMS codes, mobile authentication app, or recovery keys.
In today’s post, I’m going to show you how to make your phishing campaigns look and feel the best way possible.
Disclaimer: This is for educational purposes only and should be used in legitimate penetration testing assignments (with written permission from to-be-phished parties).
What Is Evilginx and Where Does it Come From?
Kuba Gretzky (Author at Breakdev) had a revelation after reading about an expert using the Nginx HTTP server’s proxy_pass feature to intercept the real Telegram login page to visitors.
For him, the idea of using Nginx to proxy external servers was simple, yet effective (near perfect). That’s how Evilginx was born.
Common phishing attacks, which we see every day, are HTML templates, prepared to look like the login pages of popular websites, luring victims to reveal their usernames and passwords.
When the victim enters their username and password, the credentials are recorded and the attack is considered a success. Old phishing methods that focus exclusively on capturing usernames and passwords are completely rejected by 2FA.
But this is what it looks like, in Evilginx 2, when the session token cookie is successfully captured:
Common phishing attacks rely on creating HTML templates that take time. Most of the work is spent on making them look good, respond well on mobile devices, or are adequately obfuscated to evade phishing detection scanners.
Evilginx takes the attack one step further and instead of publishing its lookalike HTML pages, it becomes a web proxy.
The core of it is the usage of the Nginx HTTP proxy module.
To prevent the visitor from redirecting to the real website, URLs with the real website’s domain need to be replaced with the Evilginx phishing domain.
But what about the encrypted HTTPS connection using SSL/TLS, preventing eavesdropping on communication data?
The victim is only talking to the Evilginx server (via HTTPS) but not to the actual website.
It initiates its HTTPS connection with the victim (using its SSL/TLS certificates), receiving and decrypting the packets, and establish its HTTPS connection with the target website.
Later on, it sends the re-encrypted packets, as if the victim’s browser itself was doing it.
This is how the chain of trust is broken and the victim still sees that green lock icon next to the address bar, in the browser, thinking that everyone is safe.
The victim would still be talking back and forth, with Evilginx packets sitting in the middle when credentials are inserted and the 2FA challenge-response activates.
Even while being the victim of a phishing attack, the victim will still receive the 2FA SMS code on their mobile phone as they are talking to the actual website.
It looks complicated? Don’t worry.
This is how an Evilginx 2.0 attack works:
Anatomy of an Evilginx 2.0 Attack
- A phishing link is generated. It points out to the server running Evilginx.On successful sign-in, the victim will be redirected to this link e.g. document hosted on G Drive.If this cookie is detected, then it means the sign-in was successful.
The victim can now be redirected to the URL supplied by the RC parameter.
- The victim receives the phishing link from any available communication channel.
- It clicks the link, where it is presented to the proxied Google sign-in page.
- The victim inputs the valid account credentials and progresses to the 2FA (if enabled). At this point, the rd cookie is saved for the phishing domain in the victim’s browser. From now on, he/she will be redirected when the phishing link is re-opened.
- The result? The attacker has successfully gotten the victim’s email and password, as well as the session cookies, to take full control of the session.
Why it Works, While Other Phishing Tools Don’t?
In the first place, an exact-match looking template can be created. But the attacker gets stuck when asked for the SMS verification token. This will also alert the victim of the attack.
But even if the 2FA gets bypassed, some templates can’t hold valid credentials. It just lays there, without chances of confirming the validity of the username and password.
So, Evilginx shows a clear demonstration of how far someone can go hunting your private information… And still, shortcut parts needed.
If you are a penetration tester, feel free to use this tool in testing the security and threat awareness of your clients.
If you’re a business owner, then you might fear that this will turn against you.
How to Protect From an Evilginx Attack
And you’re right. It could happen at any time.
Fortunately enough, there is a major flaw in this phishing technique that you can use to your advantage: the attacker must register their domain. When registering a domain, the attacker will try to make it look as similar as possible to the real, legitimate domain.
For example, if the attacker is targeting Facebook (the actual domain is facebook.com), they can register a domain faceboook.com or faceb00k.com, which maximizes the chances that victims will not see the difference in the URL of the browser.
You can learn more about this Typosquatting technique by clicking on the link.
Being said, you should always check in the address bar if the website domain is legit or not.
You could even get out of doubt if the mirror URL is fake or not, by typing it in Google search. If nothing comes up, then it means for sure that you were close to being phished.