Many people believe multifactor authentication (MFA) is the ultimate defense for their online accounts. But hackers are now using Evilginx to beat it.

MFA is a security procedure which means you have two steps to successfully log in, rather than relying solely on a password. Usually, this is completed by proving that the login request is genuinely you, typically via text, app approval or an authenticator code. This latest hack gets around the MFA defense by tricking users into a new form of phishing attack known as an Attacker in the Middle (AiTM) threat.

AiTM attacks are one of the lesser known varieties of phishing, making it more important than ever to strengthen your defenses against this evolving threat.

The Malicious Hijinks of Evilginx

Evilginx started life as a security tool where it acted as a proxy sitting between a PC user and a website. Because Evilginx is open source, anyone can download and execute it, regardless of whether they have good or malicious intent. Accordingly, attackers have taken advantage of Evilginx to generate fake login pages which look identical to genuine websites. These are then used to relay traffic in real time between the victim and the legitimate service.

The Evilginx attack starts with an email, usually tailored to the target to gain their trust, which contains a link to the fake login page. When the victim clicks on the link, they’re asked to enter their username and password. Once these are inputted, Evilginx passes these on to the real site immediately. If the service asks for an MFA code, the victim is also prompted to do that as well. For the user, everything appears normal and they gain access.

However, instead of just stealing the password, the proxy also harvests session cookies. Essentially, these are digital tokens a website issues after a successful login – this is why you can then re-access the service without having to enter your password again. With the stolen cookies in hand, an attacker can access the account from wherever they want and the website will recognize them as an authorized user who has already passed MFA.

As it all happens in real time, and the attacker harnesses the site’s own responses, it’s a stealthy technique. It’s what makes AiTM attacks so dangerous, they can compromise accounts even when there are multiple layers of security in place. The Evilginx method is so effective that even major services such as Gmail, Outlook, and LinkedIn have been successfully breached.

How to Protect Against Evilginx

 

The stealthy nature of Evilginx means that it’s difficult to know when your credentials have been compromised, but you don’t need to fall victim to it. Instead, you can combat the threat of Evilginx and other similar attacks by following these three best tips:

1. Use Phishing-Resistant MFA: Using methods like security keys or other phishing-resistant tokens gives much stronger protection than SMS codes as attackers can’t easily steal these through fake sites.
2. Monitor for Unusual Activity: Always make sure you keep an eye on your account activity e.g. login alerts from new locations and connections from new devices. Unusual activity such as this should ring alarm bells, so always investigate in these instances.
3. Always Verify Links: If you get an email asking you to log in somewhere, always hover over the link with your mouse cursor to see its true destination. If something looks strange – such as a misspelled name or unusual domain extension – don’t click.

For more ways to secure and optimize your business technology, contact your local IT professionals.