Evilginx is a complex phishing framework that works as a man-in-the-middle (MitM) attack tool, made to get around two-factor authentication (2FA) security. For online safety and advanced phishing protection, it’s important to know how Evilginx works and how to spot advanced hacking websites.

How Evilginx Does It

1. The “Man in the Middle” Method

Functions Of A Proxy: Evilginx works as a go-between for the victim and the real website. People who click on phishing links are taken to an Evilginx website that looks like the real login page for the service being phished.

Getting Data: In real-time, Evilginx records the user’s passwords and 2FA codes as they enter them. Not only does it steal usernames and passwords, but it also steals session tokens sent as cookies, which lets attackers get around 2FA.

2. Safety With HTTPS

Certificates For SSL: Evilginx makes a safe connection with the target using its own SSL certificates. For the target, this means that they see the familiar padlock icon in their browser, which can make them think they are on a real site.

Smooth Experience: The target thinks they are talking to the real website, but Evilginx is actually sending and receiving data and recording it all without anyone noticing.

3. Phishing URLs Generation

Unique Domains: Hackers make phishing links that lead to their own Evilginx site. People often think these links are real, which makes it hard for them to spot the scam.

Attackers may tailor sophisticated links that look very similar to the original URL’s, so keep an eye out for any typo, or strange character looking to replace any original character on the original URL. Also make sure that you enter the website using links from real email messages from any company or service, or entering directly from your favorite search engine.

4. Taking Over a Session

Evilginx takes the session cookie after the user logs in and completes 2FA. Attackers can now get into the victim’s account without having to enter their passwords or 2FA codes again, taking over the session.

How to Spot Websites That Are Advanced Phishing

1. Carefully Look at the URL

Check For HTTPS: Make sure the URL starts with “https://” and look in the address bar for a lock icon. But be careful, because some phishing sites use HTTPS too.

Checking Out Domain Names: Look closely at the domain name to see if there are any small writing mistakes or strange characters that look like real sites, like “g00gle.com” instead of “google.com.”

Another example that is fairly common with advanced cyber criminals is that they use domains such as: “https://microsoft.com.office365.ru” and sometimes they may extend the URL on purpose to hide the suspecting letters on the URL, when using mobile devices this can be harder to spot since the screen doesn’t show the full address usually, it is recommended always to hover the mouse over the URL in order to read it complete before clicking on it, or even better you could use Virustotal to scan the URL and see if it has been blacklisted as phishing or if it detects something suspicious before clicking on it.

2. Look at the Website’s Content

Look For Gaps In the Information: Check for spelling mistakes, bad grammar, or pictures that aren’t very good; these could be signs of a fake site. However, Evilginx can use phishlets and hackers can clone websites using any HTML copy tool to mimic the original websites so the websites may look almost exactly as the real website interface.

Content Is Relevant: Check to see if the information matches what you would expect from a real website. If something doesn’t seem right, be careful what you do next. But also be aware that phishlets, redirectors, and other tools are used by Evilginx and they help to almost perfectly emulate the real website layout (forms, menus, popups, chat bubbles) very similar or sometimes exactly as it is.

3. Think About How You Arrived To The Website

How to Get Access: Think about how you got to the site. If you click on a link in an email or message that you didn’t ask for, be extra careful.

4. Look Over the Security Indicators

The Padlock Icon: A padlock shows that something is encrypted, but it doesn’t mean that it is real. Always check out other parts of the site as well.

Some websites may show an additional validation when you click on the padlock icon as in this example:

In this particular case, we are using as example a very well-known bank, and as you can see the connection certificate is verified by DigiCert Inc, which is a company that validates before bestowing any TLS certificate.

They will check that the website is a real business, that is legit, that it’s not coming from a different country where the bank is registered, and most important, that it doesn’t come as blacklisted for being from a possible cyber-criminal group.

5. Use Tools For Advanced Phishing Protection.

Readers of URLs: Use online tools that compare URLs to lists of known phishing sites or look for strange trends in them.

Add-ons For Browsers: You might want to use browser extensions that focus on security. These can let you know about possibly dangerous websites before you visit them. We recommend WOT which can be installed for Firefox, Edge, or Chrome, and provides feedback based on other users’ interactions.

6. Trust Your Instincts.

Trust your gut and don’t enter any personal information if something seems off or too good to be true, like being asked for private information out of the blue.

People can greatly improve their online safety and lower their chances of falling for sophisticated phishing attacks by learning how Evilginx works and using these tips to enhance advanced phishing protection and easily spot these websites.

There’s no magic formula to simply obtain advanced phishing protection, for this reason is very important to develop a strong sense of security, we recommend checking the following article to help you develop a good security mindset: Why a Daily Security Mindset Matters.