An in-depth analysis of Evilginx: a tool that can be used by cybercriminals to bypass Gmail and Outlook’s two-factor authentication security protections as part of a credential-stealing attack has been published by human behavior security specialists Abnormal. Operating as an attacker-in-the-middle proxy, Evilginx can intercept and manipulate traffic to enable the theft of login credentials and, importantly, session cookies. It’s the latter, Daniel Kelley, a security researcher at Abnormal said, which can validate a user’s session after the 2FA step is completed, that lets “Evilginx render the 2FA step ineffective, allowing unauthorized access.” Here’s what you need to know.
What is Evilginx?
Evilginx is not a new phenomenon by any stretch of the imagination. There’s an excellent podcast explainer, still at SC Magazine from 2018, detailing how it is an attack framework that can be used to intercept credentials. It’s clever in that, the podcast explains, “instead of just duplicating the target web application it proxies traffic to it making the experience seamless to the victim.”
In his new analysis, Kelley goes into detail as to how dangerous this is because, unlike traditional phishing techniques that look to trick users into revealing login credentials, Evilginx goes a big step further in tackling the 2FA protection problem. Things start in the typical way, with an attacker setting up a cloned website and driving unsuspecting users to visit it. The victim enters their credentials, which are forwarded on to the genuine site or service to initiate the login process. Because Evilginx is acting as a proxy, however, the attacker has the exact same access to the exact same session. All without being detected. “The key difference between traditional phishing and attacker-in-the-middle attacks is that the latter doesn’t just steal credentials,” Kelley said, “it hijacks authenticated sessions, allowing cybercriminals to bypass 2FA entirely.”
How And Why Cybercriminals Use Evilginx
It’s hardly surprising, given its functionality, that Evilginx has become such a popular tool for cybercriminals looking to phishing as a modus operandi. Originally, of course, it was designed for perfectly honest endeavors, namely as a penetration testing tool. “One of the main reasons it’s so popular is its open-source nature,” Kelley said, “allowing anyone to download, modify, and use it.” Including cybercriminals.
Such users will often configure Evilginx to mimic high-value targets such as banks and, it may surprise some to discover, email accounts. This really should not be a shock though, as I’ve often warned, your email account is the gateway to a treasure trove of information of huge potential use to a criminal hacker. In the case of Gmail, for example, the world’s largest free web-based email service with 3.45 billion users, getting access to a Google account provides ongoing access to password reset confirmations along with all sorts of private information that can be used for further malicious activity. “These platforms often rely on 2FA as a security measure,” Kelley said, “and Evilginx offers a way to bypass that protection.”
Kelley warns that everything the attacker does once they have that session cookie and the account access without requiring a 2FA code it brings will not trigger any kind of 2FA alert, which is why Evilginx has evolved into a valuable commodity that cybercriminals trade for profit.
By providing Evilginx as a service “phishlet” the attack who buys into it doesn’t need to have the technical expertise to configure and run it themselves from scratch. Not, it has to be said, that it’s particularly complicated in my, legal uses only, experience in the past. “These services can include customized phishing pages, hosting, and even automation for harvesting credentials and session cookies,” Kelley warned.
Real-World Risk And Session Cookie-Stealer Mitigations
I spoke with Mike Britton, the chief information security officer at Abnormal Security who reminded me of the very real-world risk of this kind of attack campaign. “Attackers that use Evilginx in their attacks pose a major risk to businesses and consumers alike due to its ability to bypass MFA,” Britton said, “which would ordinarily stop a phishing attack in its tracks and prevent attackers from completing the compromise.”
Evilginx allows attackers to gain unauthorized access to personal accounts—like a Gmail account—even with enhanced security measures in place, Britton warned, but when it comes to mitigation he said that “although consumers don’t have access to enterprise-grade security tools, there are steps they can take to reduce the likelihood of an MFA bypass attack.” Some of the mitigating resources he mentioned included:
- Use 2FA methods that are harder to bypass, such as hardware security keys or biometrics, rather than SMS-based codes, which are more vulnerable to interception.
- Use 2FA apps that provide real-time alerts or push notifications that allow you to reject fraudulent login attempts.
- Remain vigilant about phishing, as 2FA bypass attacks often start with a phishing attempt to steal passwords or session tokens.
I also reached out to Google, and a spokesperson issued the following statement:
“This type of attack is well known and we have built-in defenses, such as high frequency cookie rotation, device-bound session credentials, and risk-based re-authentication, that keep users safe. Additionally, the first line of defense against attacks like this is to use an operating system like ChromeOS that is secure by default, without known vulnerabilities for this type of malware.”
I have also reached out to Microsoft but a statement was not available at time of publication.