Be Careful! A Surprisingly Simple Way To Bypass 2FA

8uVB...zE69
13 Dec 2023
218

Two-factor authentication (2FA) provides an effective method for enhancing the security of our digital accounts by adding a layer of protection.
There are many types of 2FA, some safer than others, and everyone should protect their valuable accounts with some 2FA.
But SMS and app-based two-factor authentication (e.g., Google Authenticator or Microsoft Authenticator) can be bypassed by hackers using a combination of specialized software and phishing links.
In this article, we will explain how black hat hackers use Evilginx to access your 2FA-protected accounts.
So you can take steps to protect your accounts fromEvilginx and other similar MitM attacks. 


Man-in-the-Middle (MitM) Attacks

In a Man-in-the-Middle (MitM) attack, the attacker secretly positions themselves between two parties and can eavesdrop on, capture, or manipulate the transmitted data.
For example, as a 'two parties,' think about you (party one) being prompted to log in to your Google account (party 2) by entering your username, password, and one-time code (OTC) generated by your 2FA.
At a high level, a MitM attack works as follows:
Interception: The attacker intercepts the communication between two parties, which could be a person and a website, two individuals, or any devices connected through a network.
👎 A common way to intercept communications is… through our cooperation. Open a phishing email or SMS, and click over the malicious link if you want to sponsor a black hat hacker.
👍 Alternatively, if you value your data and don't feel like sponsoring black hat hackers, learn how to identify phishing attempts.
Intermediary: The attacker acts as an intermediary, intercepting and possibly modifying the data exchanged between the two parties. This could involve manipulating messages, stealing sensitive information, or injecting malicious content.
☝️ In the next section, we will be explaining how black hat hackers use Evilginx to manipulate data and steal login credentials and the cookies needed to bypass two-factor authentication (2FA)
Secrecy: One of the defining characteristics of a MitM attack is that it is carried out stealthily, without the knowledge of the legitimate parties involved. The victim parties typically believe they communicate directly with each other or a trusted entity. Additionally, the victim does not even suspect that the login credentials have been compromised, which can be used by the attacker to spy on the victim.
☝️ But, in some cases, if you know where to look, you can identify if you have fallen for a MitM attack.

 
How Evilginx is Used to Steal Login Credentials and Bypass 2FA

Evilginx is a tool used in phishing attacks to steal login credentials and potentially bypass two-factor authentication (2FA) mechanisms.
So it would be best if you understood how Evilginx works to protect yourself from such attacks:
Phishing Campaign Setup: The attacker initiates a phishing campaign by creating a cheap website, configuring Evilginx, and writing a Phishlet. Then, a malicious phishing link is sent to the victim.
👉 Phishlets are small software programs that deceive users and steal their personal information, usually through phishing attacks.
👉 You should learn how to identify phishing attacks through emails or SMS
Deploy Evilginx: Evilginx is set up as a man-in-the-middle proxy that sits between the victim and the fake website. When the victim accesses the phishing site, Evilginx intercepts the communication.


Picture source: Evilginx2 logo
Stealing Credentials: As the victim enters their login credentials (username and password) on the phishing site, Evilginx captures and logs this information.
2FA Bypass: Evilginx can also capture 2FA codes so the attacker can take over an account protected by two-factor authentication.
👉 < UNK> Many videos and posts explain this attack, but this video shows both the victim's and attacker's perspectives, so you want to look.
Access to Victim's Account: With the stolen login credentials and 2FA code, the attacker can now access the victim's account on the legitimate website, bypassing 2FA.


Protection Against Evilginx and Similar Attacks

Education and Awareness: The first line of defense is to educate ourselves about the dangers of phishing attacks and how to recognize phishing attempts.
👉 We should be extremely cautious about clicking on links in unsolicited emails and verify the legitimacy of ANY websites we visit.
Avoid Public Wi-Fi: When entering sensitive information, avoid public Wi-Fi networks that may not be secure.
👉 If you need to use Public Wi-Fi, use a VPN to encrypt your internet connection.


Check Email Sources: Be cautious of emails from unknown or suspicious sources.
👉 Verify the sender's identity, and avoid clicking links or downloading attachments.
Regularly Monitor Accounts: Review your online accounts for suspicious or unauthorized activity. If you notice anything unusual, take immediate action to secure your account.
👉 Both Google and Microsoft offer means to monitor your account for suspicious activities. You may be surprised about the number of unsuccessful login or synch attempts that your account may be receiving...


Use Authenticator Apps: 2FA codes generated by SMS or authentication apps (e.g., Google or Microsoft Authenticator) will NOT protect you if you have clicked on a malicious link and fall for an Evilginx MitM attack.
👉 Only 2FA hardware tokens will protect your account. 
👉 As explained by Yubico: 'With security keys, user login is bound to the origin, meaning authentication will fail on a fake site since it has no prior credentials set up to authenticate.'
For more information, please have a look at this post about How To Fortify Your Security With Two-Factor Authentication (2FA)
_____________________________________________________________________________________________
As with all tools, Evilginx can be used for good or bad. 
Evilginx has been developed for penetration testing, as described in the Evilginx disclaimer:
'I am very much aware that Evilginx can be used for nefarious purposes. This work is merely a demonstration of what adept attackers can do. It is the defender's responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks. Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties.'
The creator of Evilginx is transparent about the capabilities of the software and warns us about the dangers of its misuse.
This way, we can learn or develop ways to defend ourselves from similar MitM attacks. This is, better having the opportunity to learn and adapt than finding ourselves facing the same danger but from a different source and being ignorant about it.
_____________________________________________________________________________________________
Congratulations on completing this 5-minute digital safety power-up.
We hope this 5 minutes read was worth the time and that you have learned some valuable information.
Please consider subscribing to our blog for more short but important articles about Crypto and Digital Good Practices.

Crypto Safety First

Subscribe

Enjoy this blog? Subscribe to CryptoSafetyFirst

17 Comments