
Evilginx2: Standalone man-in-the-middle attack framework - archimag0
https://github.com/kgretzky/evilginx2
======
parsadotsh
Any ideas how a website can protect itself in this situation?

~~~
kpcyrd
You can't reliably fix this as a website. You can try to resolve this on the
client by using the websites origin as part of the 2FA challenge (which is
what U2F does) but ultimately there's no good, universal solution for this.

It's also important to note that 2FA was never meant to solve phishing, it was
meant to solve password reuse. Phishing is still pretty much unsolved.

~~~
scifi
CheckPoint (and likely other) firewalls can stop phishing via watching http
post going north and blocking if looks phishy.

