Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool, called Evilginx, is being used to bypass multi-factor authentication (MFA) in attacks targeting major email providers like Gmail, Outlook, and Yahoo.
Evilginx operates as a man-in-the-middle proxy, intercepting and manipulating traffic between users and legitimate websites. This allows attackers to steal login credentials, session cookies, and other sensitive information, even when MFA is in place.
The tool is typically used in attacker-in-the-middle (AiTM) phishing campaigns. In these attacks, cybercriminals set up fake websites mirroring legitimate ones. When users enter their login information and MFA token, Evilginx captures this data and forwards it to the real site in real-time.
What makes Evilginx particularly dangerous is its ability to capture session cookies. These cookies validate a user’s session after MFA is completed, allowing attackers to bypass the extra security step entirely.
The open-source nature of Evilginx has contributed to its popularity among cybercriminals. Some are even offering it as a service to others who lack the technical skills to configure it themselves.
One notable user of Evilginx is the Star Blizzard APT group, linked to Russia’s Federal Security Service. They’ve employed the tool in spear-phishing campaigns targeting high-profile individuals and organizations.
Cybersecurity experts warn that traditional defences, including basic MFA, may no longer be sufficient against these sophisticated phishing threat. Not surprisingly, Abnormal Securities post recommends their AI-powered solutions that can detect and block these attacks before they reach users’ inboxes. Whether that’s the ultimate solution, it is clear that this threat does present a dangerous workaround to MFA, something that many of us have come to rely on as a gold standard for online security.
(for more discussion on this topic, check out our podcast Cyber Security Today, Week in Review on Apple, Spotify, YouTube and anywhere else you get podcasts. Or you can find it on our site under Podcasts.)