Analytics Story: Common Phishing Frameworks
Description
Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email.
Why it matters
As most people know, these emails use fraudulent domains, email scraping, familiar contact names inserted as senders, and other tactics to lure targets into clicking a malicious link, opening an attachment with a nefarious payload, or entering sensitive personal information that perpetrators may intercept. This attack technique requires a relatively low level of skill and allows adversaries to easily cast a wide net. Because phishing is a technique that relies on human psychology, you will never be able to eliminate this vulnerability 100%. But you can use automated detection to significantly reduce the risks. This Analytic Story focuses on detecting signs of MiTM attacks enabled by EvilGinx2, a toolkit that sets up a transparent proxy between the targeted site and the user. In this way, the attacker is able to intercept credentials and two-factor identification tokens. It employs a proxy template to allow a registered domain to impersonate targeted sites, such as Linkedin, Amazon, Okta, Github, Twitter, Instagram, Reddit, Office 365, and others. It can even register SSL certificates and camouflage them via a URL shortener, making them difficult to detect. Searches in this story look for signs of MiTM attacks enabled by EvilGinx2.
Detections
| Name | Technique | Type |
|---|---|---|
| Detect DNS requests to Phishing Sites leveraging EvilGinx2 | Spearphishing via Service | TTP |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|
References
- https://github.com/kgretzky/evilginx2
- https://attack.mitre.org/techniques/T1192/
- https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/
Source: GitHub | Version: 1