Bypassing MFA with Kuba, the Evilginx guy!

Episode SummaryIn this episode, we dive into the sophisticated world of phishing attacks with Kuba Gretzky, creator of the renowned Evilginx framework. He shares insights on how Evilginx operates as a reverse proxy, capturing authentication tokens in real-time, and discusses the ethical considerations of creating such a powerful tool. Most importantly, Kuba provides valuable guidance on protection strategies that organizations can implement to defend against these advanced phishing techniques.Chapters00:00 - Introduction to Kuba and Evilginx- Creator of Evilginx, a phishing framework demonstrating MFA vulnerabilities- 15+ years in cybersecurity, started with MMO game hacking- Transitioned through reverse engineering to cybersecurity02:03 - Understanding Phishing Fundamentals- Phishing presents fake sign-in pages to capture user credentials- Even 7-year-olds now learn about phishing dangers in school03:39 - How Evilginx Works Technically- Functions as a reverse proxy between user and legitimate server- Creates dual TLS connections to intercept all communications- Captures authentication tokens for complete account takeover05:55 The Evolution of Phishing Tools- Evolved from experiments with cookie manipulation- Improved upon older tools that required malware installation- Developed from Nginx with Lua scripting to standalone Go application10:37 Evilginx's Impact and Popularity- Gained traction through demonstrating MFA vulnerabilities- Creates "shock factor" when users see how easily accounts are compromised- Emerged alongside other tools but distinguished by ease of demonstration12:25 Real-World Phishing Examples- Sophisticated attacks use browser-in-browser techniques- High-profile victims include Linus Tech Tips YouTube channel- Attackers leverage urgency and fear to bypass security awareness16:23 Protecting Against Evilginx Attacks- Implement domain verification checks through JavaScript- Deploy "shadow tokens" with browser fingerprinting- Utilize conditional access policies and FIDO2/passkeys22:57 - Detecting Evilginx Attacks- HTTP header inspection can identify attack signatures- TLS fingerprinting (JA4) detects unusual connection patterns- Cloudflare and other services block suspicious proxy connections27:33 - User Education and Psychological Factors- Focus on recognizing psychological triggers like urgency- Reward reporting rather than punishing victims- Teach users to access websites directly rather than through email links31:01 - Ethical Considerations and Responsible Development- Implemented vetting process for Evilginx Pro access- Built anti-cracking protections to prevent misuse- Created trusted community for responsible information sharing36:43 - Future Developments and Evilginx Pro- New client-server architecture with API for automation- Features include bot protection and shadow token bypass capabilities- Established BreakDev as company with plans for security software platformKey Takeaways- Modern phishing attacks like those enabled by Evilginx can bypass MFA by acting as a proxy in real-time.- The strongest protections include device compliance, FIDO2/passkeys, and domain verification checks.- Organizations should implement conditional access policies that verify device identity, not just user identity.- User education should focus on recognizing urgency tactics rather than just checking URLs.- Shadow tokens that include browser fingerprinting and domain information show promise as protection methods.- Ethical security tools require responsible handling - vetting processes to help prevent misuse.- Security awareness demonstrations with tools like Evilginx help stakeholders understand risks and invest in protections.Key LinksBREAKDEV Blog → breakdev.orgEvilginx Pro → evilginx.comEvilginx Mastery Course → academy.breakdev.org/evilginx-mastery Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe