“We used a standard GitHub phishlet that can be found in various user repositories on GitHub itself,” Stewart said. “When a targeted user visits the lure URL, without the host name in the URL bar, what they will see is what looks like a normal GitHub login page, because it’s the real GitHub login page, just uploaded to Evilginx.”
However, by slightly changing the configuration of the standard phishlet, we can remove the text “Log in with a password”, Stewart added, showing how easily the user can be tricked into choosing a backup, password-based authentication.
Research has noted that these types of attacks can be planned in situations where passkeys are used as a primary factor and a secondary factor authentication method. “Unless the user specifically remembers to see the passkey option, they will likely just enter their username and password, which will be sent to the attacker along with the authentication token/cookies, which the attacker can use to maintain persistent access to it. account,” Stewart said.
Source link