Where in the world are you?
I live in Gdynia, which is a beautiful city in the north of Poland, by the seaside.
At what age did you start learning to program computers?
I think I began learning programming around the time I was 10, when I got Turbo Pascal for DOS. I then started writing simple programs, which would verify entered passwords. Later I went back to my old Atari and started learning Atari Basic for fun. I switched from Pascal to C/C++ with elements of x86 assembly when I was around 16.
What do you like to do when you’re offline?
I am hardly ever truly offline, which is probably not a good thing, but when I'm offline I do some EDM DJ-ing or music producing as a hobby. I am also gaming on a PC, in my free time, and when not playing multiplayer games, you could say I'm also gaming offline. Most of my part-time activities have always been oriented around computers.
What programming language would you recommend people learn first?
I don't think there is really a good answer to that. I would say that whatever language you want to learn first is probably the best choice. It is most important that you learn the language, which lets you build what you want to build, to keep you motivated, and once you get proficient enough, you will find out that all the other programming languages are fairly similar. It will then take you significantly less time to learn the other ones.
What inspired you to create Evilginx?
I remember I was playing around with cookie extraction from web browsers, seeing how easy it is to take over accounts without the need of even knowing account credentials. I then stumbled upon a blog post about capturing cookies for Telegram accounts, using man-in-the-middle attacks on a local network. I was pretty much into everything related to MiTM attacks, back then. I spent a long time building my own Raspberry Pis with custom scripts for WiFi network attacks. I started thinking if it would be possible to capture the cookies remotely, through a phishing attack, by decoupling the connection between the user and the website. I figured out that the easiest way to make a working proof-of-concept was to use nginx's `proxy_pass` feature to proxy the web content. That's how Evilginx 1.0 was born.
Have you ever been approached by law enforcement regarding your software's use in cyber attacks? If so, how did you respond?
No, I haven't.
Do you believe that open-source offensive security tools have a legitimate role in cybersecurity, or do you see them as inherently problematic?
It is really hard, if not impossible, to measure the proportion of the good vs the bad coming out of open-source offensive security tools releases. It is hard to give one opinion to fit all cases. I think each tool should be assessed individually, based on its purpose and author's motivation to release it. I am very much against Evilginx being used by cybercriminals, but I know that the code is open-source and it could have become the foundation for many other tools used by cybercriminals. On the other hand, if it wasn't for Evilginx, maybe Google account security would be way worse today, since the company would spend less resources to improve it.
On the other hand, there are cases when someone publishes a ready-to-use ransomware tool, which evades detections, for "educational purposes". In such cases there is little educational value to be seen and the release of such tools would mostly just serve the purpose of wreaking havoc. My word to defenders is to take a proactive attitude and take the release of such tools in a positive way. Offensive tools are freely available, so you can always try them out, analyze how they behave, how to detect them and develop protections against them.
This kind of cooperation is probably a bit idealistic, but I think this is the kind of cooperation between both sides, which gets the world moving in the right direction.
What advice would you give to people and organisations looking to protect themselves from cyber attacks that use tools like yours?
My advice to organisations would be to enforce the use of FIDO U2F solutions and alike, for employees, when logging into the company's services. These make normal phishing and reverse proxy phishing attacks impossible to pull off, since an external device is able to verify the legitimacy of the domain the user is requested to log into. For the general public my advice is the same, but I am well aware that the adoption of FIDO U2F solutions will always remain far from ideal, among the general population, to make phishing attacks obsolete. Because of that, I don't think it is a good idea to only put security responsibilities on the user. Websites can do much better to detect reverse proxy phishing attacks and protect their users, but they ignore the problem, because, for companies, it is always easier to blame the users when they get hacked.
Do you feel any sense of responsibility for the ways in which your software is used by cybercriminals?
Probably the best answer would be to insert the "Awkward Look Monkey Puppet" meme GIF here ;) When I decided to publish Evilginx, I was well aware that it may be used by both the good guys and the bad guys. I could decide not to publish anything at all, but that would not make the problem I wanted to highlight, magically disappear. I eventually made the decision to publish the tool as a framework, but without making it too easy to use, so that I had more confidence it will mainly be used by security professionals (or skilled threat actors, who may have already had their own similar tools). This is also why I made the decision to not provide any support to keep 'phishlets' up-to-date.
Phishlets are small script files used to instruct Evilginx on how to target specific websites. The idea was that if you wanted to use Evilginx for reverse proxy phishing simulations, you would need to learn how to use it, yourself, without shortcuts. So to answer the question, I feel the sense of responsibility that by highlighting the issue I've both accelerated the adoption of the new type of attacks, but I may have also accelerated the development of new defenses to counter them. The vulnerabilities of using MFA have been out there nevertheless.
What separates Evilginx from other tools like Modlishka?
Modlishka and Evilginx share the same concept of capturing cookies, through connection decoupling. I can't speak for what Modlishka wanted to become, but regarding Evilginx I wanted it to become a fully customizable reverse proxy phishing framework for red teams. Modlishka focused on trying to implement one universal way of being able to reverse proxy a connection for all websites available on the Internet. The task was not too realistic, since websites could implement custom protections in Javascript, which would have to be removed first, for reverse proxying to work. That's why I focused on the requirement of writing phishlets to target specific websites with the ability to write custom rules to modify Javascript code on-the-fly and remove any client-side protections, if needed.
How do you see the future of offensive security tools evolving?
Not sure really, but I can imagine that as time passes, there will be a gradual decrease of new offensive security tools being published as open-source. The quality of published tools will also keep dropping. There has always been a difference between proof-of-concept tools and tools, which are stable, easy to use and which can be reliably used by professional red teamers, who are paid to deliver results. I don't see how doing the latter is sustainable, long enough, without any financial backing. I expect that the offensive security tools market will sway in the direction of developers creating specialized security tools for sale only to vetted security companies, resembling the business model of NightHawk from MDSec.
Have you ever faced criticism or pushback from the cybersecurity community or other developers regarding your work on offensive security tools?
I've been approached by a few people, from the industry, whose main job is protecting the users from online threats. Initially they were not too happy with me releasing a tool like this, to the public, as they've seen it being used also by bad guys. It usually didn't take long to find a mutual understanding.
The only backlash I've experienced was from a handful of infosec Twitter keyboard warriors, who, instead of using the tools to improve defenses, would spend most of their time tweeting and making up statistics about how offsec tools only provide offensive "capability" to bad guys and they should have never been released, in the first place. Overall, I've mostly received positive feedback from the community and people have been super supportive, which I'm grateful for.
Are there any misconceptions or stereotypes about developers who create offensive security tools that you would like to dispel?
I don't think so. Maybe I'm just not aware of too many misconceptions or stereotypes about offensive security tools developers :)
What advice would you give to someone who wants to be able to write a tool as comprehensive as Evilginx?
I would definitely advise - do it for fun. So far, from my experience, the best tools were created by people who wanted to use them themselves. Never force yourself to work on something you do not enjoy. Think of what you'd like to create and then take smalls steps to reach the goal. Also, don't worry if you want to create something that has been done already. Do the same thing with your own spin to it. Remember that if you're struggling you're still learning. There is no such thing like talent - it is all about enjoying what you're working on and learning in the process. Whenever you feel you are not enjoying yourself, take a break and come back later. Remember that you're doing this for fun.
Your blog has a lot of information on it about red team tactics, is keeping a blog something you recommend that security people do?
Yes! I've been putting off the idea of starting a blog myself, for far too long. If you worked on something interesting in your spare time, write about it. People will eventually notice it and you'll then get a chance to talk to like-minded people. Only good things can come out of it. Don't be like me and do it sooner, rather than later. Also set up a Twitter account if you do not already have one. I know Twitter has been going through a turmoil recently, but the platform is still one of a kind and the whole infosec industry is still on it.
You can learn how to use Evilginx on Kuba's site, Breakdev.
