Evilginx 3.0 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies.

The Weaponization of Web 2.0

By Mandem | Deus Ex | 27 Nov 2025

Phishing attacks are evolving rapidly and platforms like LinkedIn have become prime vectors. Cybercriminals are increasingly utilizing social engineering techniques to exploit the trusted and interactive channels of Web 2.0.

This post explores recent trends in phishing citing LinkedIn as a key case study, highlights other notable non email phishing attempts and reveal how the very architecture of the modern web — its social graphs, APIs and real-time notifications — has become the most potent vector for credential theft and session hijacking thus rendering the traditional security perimeter obsolete.

The trend (attacks, techniques & tactics)

LinkedIn vast professional network makes it an attractive target for attackers and it is daily used for work purposes, corporate annoucements, events, etc. Since most corporation accounts on LinkedIn are also identities in Google or Microsoft tenants, these business accounts are valuable targets. The same threat applies to other professional networks linked to identity providers.

A recent BleepingComputer article stated that attackers are increasingly using LinkedIn for phishing because it is an effective way to bypass traditional email security and directly target high-value employees. They report a significant 34% of phishing attacks occurring through non-email channels like social media.

From 2023 through 2025 LinkedIn‑phishing surged because the platform lets attackers contact senior professionals especially finance executives, board members and recruiters directly, sidestepping corporate email gateways. The most common bait is a seemingly legitimate “private board invitation” or “investment opportunity” that appears trustworthy.

SOC teams have no visibility on what occurs in LinkedIn. The messaging communications happen on mobile work devices and there are no security tools to oversee malevolent attempts other than relying on LinkedIn built-in security. Anyone can contact an employee on LinkedIn via DMs and totally circumvent email phishing protection.

In response, LinkedIn has implemented several protective measures to combat phishing attempts, particularly in light of the rising threat from social media platforms. These measures aim to shield professionals and maintain the integrity of the platform.

In practice, the most effective protection comes from combining LinkedIn’s native account safeguards (2FA, account‑lockout alerts, verified‑profile badges, etc.) with endpoint or browser‑based anti‑phishing solutions that intercept malicious links the moment they are clicked.

This layered approach helps stop attackers who try to bypass traditional email‑security tools by delivering phishing payloads directly through LinkedIn DMs.

Yet this defense in depth is not always in place and because LinkedIn DMs arrive on employees’ work devices, organizations lack visibility into who is been targeted, cannot recall or quarantine the messages and have no rule‑based way to block senders.

Consequently, defenses fall back to user training and manual URL blocking which is ineffective against rapidly‑rotating phishing domains.

At the moment, LinkedIn‑based phishing campaigns are increasingly using Adversary‑in‑the‑Middle (AiTM) phishing kits. In this scenario, a LinkedIn DM contains a malicious link that redirects through several domains before landing on a fake login page (often masquerading as a Microsoft or “LinkedIn Cloud Share” portal).

That page runs an AiTM kit, which proxies the victim’s credentials and MFA token to the real service while simultaneously stealing them. By capturing the session cookie that the service issues after successful authentication, the attacker can later replay the authenticated session even after the user changes their password.

This technique allows the attacker to bypass traditional email‑security controls and MFA making LinkedIn DMs a potent vector for AiTM‑style phishing.

One of the most widely referenced Adversary‑in‑the‑Middle (AiTM) phishing kits is Evilginx3. It acts as a reverse‑proxy between the victim and the legitimate login site, forwarding the user’s credentials and the one‑time‑passcode (or MFA token) to the real service while silently capturing them for the attacker.

Other open‑source AiTM kits that operate on the same principle include Modlishka and Muraena, which have been bundled into commercial “Phishing‑as‑a‑Service” offerings and are frequently cited in threat reports.

More recent commercial Phishing-as-a-Service (PhaaS) kits such as Tycoon 2FA (first observed in the summer 2023) specifically target MFA flows on Microsoft and Google logins, again proxying the authentication process to steal both credentials and the MFA token. All of these kits enable attackers to turn a seemingly harmless LinkedIn DM link into a full‑session hijack.

Other non email Phishing techniques (non exhaustive)

Outside LinkedIn, attackers are increasingly using malvertising, as seen with groups such as Scattered Spider who distribute malware and credential-harvesting URLs through Google Ads.

QR Code Phishing (Quishing) is increasingly prevalent because it bypasses traditional email link scanners. Attackers send a QR code via a message or physical posters (or flyers) often with a lure like a WiFi login or package tracking update, which directs the user to a sophisticated phishing page designed to steal credentials and bypass multi-factor authentication.

Corporate instant-messaging platforms such as Slack and Microsoft Teams are also being abused, particularly when cross-tenant communication is enabled. Similarly, public communities on platforms like Whatsapp, Reddit and Telegram are frequent targets for phishing lures.

Vishing & Fake Voicemail Alerts leverage urgency and authority. With this technique, scammers send SMS or email alerts claiming the user has a new voicemail by impersonating a known service or executive. Clicking the link leads to a credential-harvesting site, while more advanced attacks may use AI-powered voice clones to add a layer of convincing realism and pressure the victim into taking immediate action.

SMS Phishing (Smishing) with AitM Kits: While mentioning SMS in the context of voicemail alerts, it’s a massive channel on its own. The same advanced AitM kits like Tycoon 2FA are being distributed via SMS with lures related to package delivery, bank fraud alerts or postal service messages and directly targeting personal and corporate phones.

SaaS Notification Poisoning exploits the trust users place in their everyday business applications. Criminals send fake security alerts or mandatory update notices that appear to come from platforms like WordPress, Salesforce or Workday. These highly tailored lures trick employees into clicking a link that leads to a malicious login page and seamlessly steal their corporate credentials.

File-Sharing & Collaboration Phishing: This is a natural extension of the SaaS notification poisoning trend. Attackers are abusing legitimate cloud storage services (Google Drive, OneDrive or Dropbox) to host their phishing pages or malicious documents. The link sent to the victim points to a trusted domain and makes it very hard for filters to block outright.

MFA‑fatigue attacks bombard a user’s authenticator with many push‑approval requests, causing annoyance and prompting a quick “Approve” without verification. This lets attackers capture the one‑time code and bypass MFA. This ca nbe mitigated by limiting push frequency, using risk‑based checks and training a workforce to reject unexpected prompts.

API Credential Harvesting and Exploitation: Attackers may use social engineering tactics to trick users into providing sensitive API credentials or tokens. Example: An attacker gains access to publicly exposed API tokens through a GitHub repository or an unsecured API endpoint. They use these tokens to impersonate legitimate users, conduct phishing campaigns and send malicious links that appear to come from trusted sources.

The bottom line for cloud-native organizations is that the most dangerous threat is the combination of both Phishing and Social Engineering. When an organization keeps nearly all of its assets, identities, workloads and business operations in the cloud, attackers focus heavily on identity compromise.

In a cloud-first environment, identity is thus the new defense perimeter. This means that any technique that compromises credentials, tokens and access flows becomes extremely powerful and also extremely damaging.

Web 2.0 considerations in Phishing trends and cybersecurity

Distributing trust to neutralize phishing. The Web 2.0’s centralized model is one huge cause of modern phishing. A solution is an architectural shift towards Web 3.0 distribution. Image by Arianee

Web 2.0 is characterized by user-generated content, interactivity and the rise of social networking platforms. These features create fertile ground for phishing attacks, utilizing many of the conveniences and connections that define user experiences today.

Not only does web 2.0 adds a unique layer of risk in the realm of phishing attacks and security at large but it leads to a more closed web where internauts have to create accounts to access various services.

While account creation can enhance user experience and personalization, it also exposes people to multiform vulnerabilities. The core idea is that the modern phishing landscape is not a random collection of new tricks but rather a direct and predictable consequence of the Web 2.0 architecture because the model dynamics are inherently weaponizable.

Here, we explore how this trend increases the phishing threat landscape.

  • Interactivity becomes Infiltration: Rich channels like social feeds and instant messaging embed threats (e.g., QR codes, malicious links) within a context of inherent trust which bypasses the skepticism applied to email.
  • APIs become Attack Vectors: The APIs that power integration and automation are abused to distribute lures at scale, orchestrate MFA-fatigue attacks and overwhelm human vigilance.
  • The Social Graph becomes a Targeting Database: The interconnected web of relationships provides attackers with the personalization data needed to craft credible lures.
  • Real-Time Systems become Harassment Engines: Notification systems designed for engagement are twisted into channels for persistent psychological attacks.

Summary table of the Web2.0 weaponization concept. Generated by Duck.ai.

The interplay between Web 2.0’s inherent dynamics and the rise of commoditized attack kits like Tycoon 2FA leads to one inescapable conclusion: the traditional security perimeter is not just weakened; it is utterly obsolete.

The fortress walls have been replaced by a cloud-native world where identity is the only meaningful perimeter. This fundamental shift dictates a corresponding evolution in defense strategy. We can no longer prevent threats from reaching users; we must build systems that are resilient to compromise.

So what is next and how do we build something more resilient?

Do not fight or fix an inherently broken system. Replace or circumvent it wherever possible.

The most effective path to resilience is not in patching a broken system but in building a new one with security as a first principle. In other words, a path forward is not to fix the leaky boat of Web 2.0 security but to build a brand new vessel.

Web 3.0’s architecture offers this potential by inverting the fundamental trust model of Web 2.0. The cybersecurity paradigm is in building a system that cannot be “Phished” in the traditional sense. So the goal is to architect this system where the primary attack vectors of Web 2.0 are logically impossible.

The philosophy of “replace, don’t repair” should be executed with precision. Here is how:

1. Build the Un-phishable Identity Layer First

  • Core Action: Prioritize the development and adoption of Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). This is the foundational layer. A user should have a single, self-sovereign identity that can interact with any dApp (decentralized application) without creating a new account and password.
  • Resilience Gain: It severs the link between service compromise and identity compromise.

2. Engineer Friction for Safety (Not Just for Access)

  • Core Action: Design wallets and dApp interfaces that make transaction intent unambiguous. Instead of a vague “Sign this message,” the UI must display in plain language: “You are approving a transfer of 10 ETH to address 0x…”.
  • Resilience Gain: This counters social engineering by forcing clarity. Advanced systems could also include reputation scores for smart contracts to warn users before interacting with a known malicious dApp.

3. Make “Trustlessness” the Default

  • Core Action: Build systems that do not require users to trust a central operator of any sort. Instead, use zero-knowledge proofs (ZKPs) to allow users to prove claims (e.g., “I am over 18”) without revealing their underlying data (their birthdate).
  • Resilience Gain: It minimizes the data footprint and eliminates the risk of a central database being breached. Privacy and security become two sides of the same coin.

4. Decentralize and Distribute the Infrastructure Itself

  • Core Action: Monocultures are fragile. Move beyond centralized RPC providers (like Infura) and centralized front-ends. Support projects building decentralized hosting (e.g., IPFSArweave) and peer-to-peer networking.
  • Resilience Gain: It removes single points of failure. Taking down a service becomes exponentially harder if it has no central server to attack.

A sound bottom line

By architecting a web where identity is sovereign, consent is explicit and infrastructure is distributed, we can benefit from a system where the most devastating phishing attacks of today (credential harvesting, session hijacking and MFA bypass) are simply no longer possible.

The end goal is to build a web that is no longer held hostage by the inherent vulnerabilities of Web 2.0 and the occasional stumbles of its centralized platforms and that improves the performance and usability that people expect.

In that regard, the future is not a sudden revolution but a pragmatic evolution towards a hybrid and heterogeneous web. We must therefore strategically use decentralized protocols for critical functions like identity and data sovereignty, while leveraging the performance of centralized giants where necessary. Eventually these “too big to fall” giants will either be replaced or will adapt to the emerging paradigm.

About Me

I am a Blue Team SecOps analyst in the FinTech insurance sector. My focus is on safeguarding sensitive assets by applying threat-informed defense strategies and ensuring strict adherence to industry standards (e.g., ISO 27001, ISO27701, NIST).

Resources

  1. https://www.bleepingcomputer.com/news/security/5-reasons-why-attackers-are-phishing-over-linkedin
  2. https://www.bleepingcomputer.com/news/security/linkedin-phishing-targets-finance-execs-with-fake-board-invites/
  3. https://pushsecurity.com/blog/new-phishing-campaign-identified-targeting-linkedin-users/
  4. https://gitlab.com/red-team-labs/evilginx3
  5. https://pushsecurity.com/webinar/phishing-2025-review
phishing linkedin infrastructure sovereignty Web 2.0

How do you rate this article?

7
Mandem
Mandem

Belgian Catholic, Digital Artist & Crypto enthusiast

Deus Ex
Deus Ex

About anything

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
Anthropic Is Coming to Wall Street: The First Trillion-Dollar AI IPO Could Change Everything Anthropic Is Coming to Wall Street: The First Trillion-Dollar AI IPO Could Change Everything
MakeItReal

MakeItReal

14 hours ago
3 minute read

Crypto Trading And Market Update : Bitcoin Price At $65k Crypto Trading And Market Update : Bitcoin Price At $65k
shohana

shohana

17 hours ago
1 minute read

USD/JPY My Personal Take on the 160 Level Struggle USD/JPY My Personal Take on the 160 Level Struggle
Muhammad Rizqi Musthofa Maruf

Muhammad Rizqi Musthofa Maruf

6 hours ago
1 minute read