We can’t talk about social engineering without mentioning phishing. Similarly, email is essential when it comes to phishing. Although there are other social engineering techniques, such as vishing, and multiple phishing vectors, such as SMS (smishing), email remains the preferred tool of attackers.
In this article, we will present three tools commonly used to carry out phishing campaigns: Gophish, Evilginx and Evilgophish.
Before diving into the practical details and compromising a Dropbox account in three different ways (a test account, of course), let’s take a step back to explain two approaches to phishing on which these tools are based.
A few clarifications before we begin. In the rest of this article, we’ll be talking about phishing for Dropbox access. That said:
The principle of clone phishing is simple. The attacker copies a known login form (such as the company’s VPN authentication page), hosts it on his server, and then sends fraudulent links (by email, for example) redirecting to this fake form.
However, this method has its drawbacks. Copying the interface is easy. The attacker downloads the resources (HTML, JS, CSS) of the legitimate form and replaces the references to the original site to make the clone independent. But this process can be tedious depending on the number of resources.
In addition, any changes to the legitimate interface must be replicated on the clone to maintain an exact copy and a realistic scenario.
Another challenge is multi-step authentication (not to mention multi-factor authentication); a first page for the email address, then a second for the password. In this case, the attacker has to clone each page and chain them together, which complicates the task. However, cloning the password page is generally sufficient to recover the password, as the email address is generally known.
The main disadvantage of clone phishing is strong authentication. Two-factor authentication (codes sent by SMS, generated by a mobile application, etc.) pose a problem.
If the cloned form requires double authentication, the attacker must also clone the form for entering the one-time password (OTP). Alternatively, they can add a field for the OTP on the fake form, but this may arouse suspicion.
After recovering the OTP entered on the fake form, the attacker must quickly replay it on the legitimate site to access the victim’s account. OTPs, often TOTPs (Time-based One-Time Password), are valid for a limited period (30 or 60 seconds), reducing the attacker’s window of opportunity.
In short, clone phishing is effective if the target form is not too complex and does not have double authentication.
However, the attacker does not need to authenticate himself in place of his victim. He can capture the victim’s session tokens (cookies, for example). This idea is the basis of a more advanced and increasingly widespread phishing technique: Man in the Middle (MitM) phishing.
Man in the Middle (MitM) phishing, or reverse-proxy phishing, involves the attacker placing his server between the victim and the legitimate site.
To do this, the phishing link points to a malicious domain (for example, dropbox.fake.com) which acts as a proxy to the legitimate app (in this case, dropbox.com).
The user interacts almost normally, but the attacker gains access to all traffic, including passwords and double authentication codes.
After authentication, a session token is issued to the user. This token is also accessible to the attacker, who can import it into his own browser to access the victim’s account.
The attacker is then connected to the same session as the user. If one of them disconnects, so will the other. To persist on the victim’s account (even after the victim has logged out), the attacker can add a trusted device to generate valid double authentication codes or recover the account recovery codes (if available).
Compared with clone phishing, MitM phishing has several advantages:
Let’s get down to the real business by presenting a few tools that put the techniques presented into practice.
Here is a brief outline of the scenario inspired by one of our audits. Our objective is to access a Dropbox test account, on which Two-factor authentication is activated. The phishing email sent to the “victim” mentions the end of the Dropbox subscription and the loss of file synchronisation to encourage him to authenticate. The malicious domain used is “dropbox.fake.com”.
Let’s see how this scenario plays out depending on the technique used.
Gophish is an open-source solution designed to help pentesters and companies run phishing simulations. It offers a web interface that makes it easy to configure and send a campaign.
Rather than a long speech, here’s a video showing the complete Gophish attack:
Let’s take a step-by-step look at the attack (the video starts at step 3):
As we have seen, clone phishing (using Gophish, for example) does not make it easy to bypass dual authentication. For a more effective method, attackers can turn to Man in the Middle phishing.
Evilginx is a reverse-proxy phishing kit designed for pentesters and red teamers. It enables to bypass double authentication by focusing on user session tokens. Since version 3.3, Evilginx can be integrated with Gophish to use its web interface and make it easier to send campaigns.
Let’s take a look at how the same attack works, this time with Evilginx:
As has been shown, MitM phishing is a way to bypass double authentication (in most cases). However, two-factor authentication remains a crucial security mechanism, particularly against clone phishing. At the end of this article, we’ll also look at the mechanisms for protecting against MitM phishing.
Let’s now take a look at the same attack in MitM, but this time delivered by SMS, using Evilgophish.
Evilgophish combines Evilginx and Gophish, adding features such as sending SMS via the Twilio API.
Here’s how the attack works on the victim’s side:
From the attacker’s point of view, after recovering the session cookies in Evilginx:
The behaviour differs slightly from that of Evilginx:
To conclude, let’s take a moment to look at how an application can protect itself against clone phishing and, more specifically, against MitM phishing.
One initial idea is to implement protections in the JavaScript code of the application, running in the client’s browser.
A common protection consists of verifying the identity of the site on which the code is executing, for example:
function validateHostname() {
return window.location.hostname.endsWith("dropbox.com");
}
The phishing domain is generally different from the legitimate domain (for example, dropbox.fake.com), so the verification will fail if the user visits the fraudulent site.
However, it must be kept in mind that any client-side protection is vulnerable, as the attacker can modify the JavaScript code of the page. Whether the attacker is in a Man in the Middle position or using a clone, they can remove the call to the validateHostname
function or render it inoperative (always returning true
).
In practice, the JavaScript code can be obfuscated, making the task more complex for the attacker, if not impossible. The cost then becomes too high for the attacker, who will prefer to target another application.
A more recent variant involves using encrypted tokens to validate the identity of the site server-side. When the user submits their password, an encrypted token (containing, for example, the value of window.location.hostname
) is added to the request by JavaScript code. Upon receiving the request, the server decrypts the token and verifies the identity of the site visited by the initial client.
This method can also be bypassed by the attacker if they identify the JavaScript code constructing the token. They would then simply need to replace window.location.hostname
with the string ‘dropbox.com’ when constructing the token to pass the server-side validation. That said, the complexity and obfuscation of the JavaScript code can once again make this task impossible within a reasonable time frame for an attacker seeking quick profit.
In addition to JavaScript verifications, there are several server-side protections against phishing in MitM mode.
For example, Microsoft Entra ID (formerly Azure Active Directory) uses conditional access, based on various risk factors, to determine if an authentication request is legitimate (such as geographic origin, browser characteristics, etc.).
This works because the legitimate user’s requests are relayed by the attacker’s server, which acts as a client to the legitimate application.
The IP address visible from the application is that of the attacker’s server, not that of the victim. Moreover, since the attacker establishes a new HTTPS connection with the application, certain characteristics of the exchanges may be suspicious. For example, the TLS versions or encryption suites proposed by the malicious client may differ from those of a typical browser (like Chrome or Firefox) which have a known fingerprint (JA4 fingerprint). This can help detect a phishing server in reverse proxy mode.
Depending on the identified risk, the application may require a stronger authentication method (such as TOTP or a security key) or even block access. For example, Microsoft Entra ID can impose a minimum authentication level based on the identified risk level for a user attempting to authenticate.
Phishing is one of the most used vectors by attackers because sending an email or SMS can have a potentially significant, even critical impact, or at least gain initial access.
In the cybercriminal world, there are now several Phishing as a Service offers, such as Evilproxy (launched at the end of 2021, four years after the release of Evilginx), NakedPages, and Tycoon. These services democratise advanced phishing techniques, called Adversary in the Middle (AitM), enabling less experienced attackers to bypass advanced protections like two-factor authentication.
It’s an eternal race between attackers’ offensives and the defences put in place. Attackers constantly innovate with increasingly sophisticated techniques as protections become more robust, and vice versa. Innovations are even faster since phishing is a very widespread attack vector.
The human element, often considered the weak link, is actually one of the first links to secure so that it becomes an asset and not a weakness. Effective employee awareness, combined with technical measures, significantly reduces the risk of phishing.
Author: Benjamin BOUILHAC – Pentester @Vaadata