Phishing Evasion Techniques

Summary

• Kubagki, an offensive security tools developer and creator of Evil Jinx, presented on the topic of bypassing modern anti-phishing (anti-‘ishing’) protections, focusing on reverse proxy phishing.
• The session covered technical methods for evading phishing detection tools, updates in Evil Jinx Pro, and recent advances in phishing tactics.
• Key discussion points included three layers of evasion (stealth, deception, obfuscation), countermeasures by security tools, and specific bypass techniques for Google Chrome Safe Browsing and Canary tokens.
• The talk concluded with a summary of best practices for phishing campaign operators and a brief mention of the evolving phishing landscape.

Action Items

• (No explicit action items or due dates were specified in the transcript.)

Introduction & Background

• Kubagki introduced himself as an ex-game hacker, now an offensive security tools developer focused on phishing tools, notably Evil Jinx and its Pro version.
• Evil Jinx Pro has now been officially released after previous delays.
• He manages the Break The Threat Discord community and developed a custom shop engine to handle Evil Jinx Pro licensing, verifying each community member manually (1,700 verified to date).

Reverse Proxy Phishing Detection: Overview & Layers of Evasion

• The focus was on reverse proxy phishing detection, not email phishing detection.
• Outlined three evasion layers ("Three Layers of Deception"):
  1. Stealth: Prevent public exposure of phishing hostnames, mainly through wildcard TLS certificates to obfuscate subdomain usage.
  2. Deception: Prevent automated scanners from analyzing phishing page content; often addressed with bot protection tools.
  3. Obfuscation: As a last resort, disguise phishing pages so that they look legitimate and evade detection if exposed.

Stealth: Hiding Phishing Hostnames

• TLS certificates for phishing sites are publicly logged (e.g., crt.sh), exposing subdomains.
• Wildcard TLS certificates help obscure specific phishing hostnames, requiring attackers to brute force subdomains to discover them.
• Once a phishing URL is sent to a target, secrecy is lost.

Deception: Preventing Automated Analysis

• Automated scanners and bots analyze phishing URLs and page content.
• Tools like Cloudflare Turnstile and Evil Jinx Pro's 'Bodgard' script block bots by analyzing browser telemetry and only serving phishing content to humans.
• Most bots do not execute JavaScript, so content appears benign to them.
• Bodgard, as implemented in Evil Jinx Pro, outperformed Cloudflare Turnstile in some bypass scenarios (e.g., Microsoft Defender for Endpoint).

Obfuscation: Disguising Phishing Content

• Detection tools (e.g., Google Chrome Safe Browsing, browser extensions like Push Security) scan HTML, JavaScript, URLs, and cookie names.
• HTML/JavaScript Obfuscation:
  • Evade pattern/signature detection by dynamically rewriting code (e.g., base64 encoding, randomized obfuscation).
  • Evil Jinx Pro auto-generates new obfuscated JavaScript outputs every 5 minutes.
• Client-Side Detection:
  • Increasingly moving into browser extensions and the browser itself.
  • Push Security extension targets Evil Jinx by matching unique signature patterns (e.g., cookie naming schemes, injected script paths).

Evasion Techniques: URL Rewriting & Canary Tokens

• URL Rewriting:
  • Chrome Safe Browsing matches phishing pages by comparing domains, URL paths, and query parameters.
  • Evil Jinx Pro now supports dynamic URL rewriting in its "fishlet" logic, breaking pattern matching by altering path/parameter structures.
  • Some legitimate sites (e.g., Google) require partial parameter preservation due to reliance on specific JavaScript logic.
• Canary Tokens:
  • Used to detect phishing by embedding tripwire URLs (background images, JS calls, etc.) in legitimate authentication flows.
  • Exposure often relies on HTTP referrer headers leaking the phishing URL.
  • Evil Jinx injects Referrer-Policy: no-referrer headers to prevent this leakage; this method became consistently effective after a Chromium bug was fixed recently.

Browser in the Browser (BitB) & Iframe Protections

• BitB attacks use simulated browser UI within a site, embedding the real phishing content in an iframe to steal credentials.
• Iframe protections (X-Frame-Options, CSP headers, JS logic) commonly block this tactic.
• Manual, site-specific code modifications can remove these protections, but require significant effort.
• Recent community contributions have demonstrated successful removal of iframe protections (e.g., for Okta sign-in).

Summary Recommendations

• Use wildcard TLS certificates to protect phishing hostnames from exposure.
• Filter inbound traffic with bot-detection and telemetry-analysis tools.
• Obfuscate phishing content to thwart signature-based detection.
• Rewrite URL paths and parameters to evade pattern-matching algorithms in browsers.
• For certain platforms (e.g., Steam), static HTML phishing remains effective for capturing credentials and MFA challenges.
• Passkeys and FIDO2 are suggested as potential effective countermeasures.

Decisions

• Release of Evil Jinx Pro — The official announcement that Evil Jinx Pro is now publicly released, ending the previous cycle of launch delays.

Open Questions / Follow-Ups

• No direct open questions or follow-ups were posed during this session.