New tool automates phishing attacks that bypass 2FA

Trust in two-factor authentication has slowly eroded in the last month after release of Amnesty International report and Modlishka tool.
Written by Catalin Cimpanu, Contributor
Image: Piotr Duszyński

A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA).

Named Modlishka --the English pronunciation of the Polish word for mantis-- this new tool was created by Polish researcher Piotr Duszyński.

Modlishka is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations.


Image: Wikimedia Commons

It sits between a user and a target website --like Gmail, Yahoo, or ProtonMail. Phishing victims connect to the Modlishka server (hosting a phishing domain), and the reverse proxy component behind it makes requests to the site it wants to impersonate.

The victim receives authentic content from the legitimate site --let's say for example Google-- but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.


Modlishka backend panel

Image: Piotr Duszyński

Any passwords a user may enter, are automatically logged in the Modlishka backend panel, while the reverse proxy also prompts users for 2FA tokens when users have configured their accounts to request one.

If attackers are on hand to collect these 2FA tokens in real-time, they can use them to log into victims' accounts and establish new and legitimate sessions.

The video below shows how a Modlishka-powered phishing site that seamlessly loads content from the real Google login interface without using templates, and logs credentials and any 2FA code that a user might be seeing.

Because of this simple design, Modlishka doesn't use any "templates," a term used by phishers to describe clones of legitimate sites. Since all the content is retrieved from the legitimate site in real time, attackers don't need to spend much time updating and fine-tuning templates.

Instead, all attackers need is a phishing domain name (to host on the Modlishka server) and a valid TLS certificate to avoid alerting users of the lack of an HTTPS connection.

The final step would be to configure a simple config file that unloads victims onto the real legitimate sites at the end of the phishing operation before they spot the sketchy-looking phishing domain.

In an email to ZDNet, Duszyński described Modlishka as a point-and-click and easy-to-automate system that requires minimal maintenance, unlike previous phishing toolkits used by other penetration testers.

"At the time when I started this project (which was in early 2018), my main goal was to write an easy to use tool, that would eliminate the need of preparing static webpage templates for every phishing campaign that I was carrying out," the researcher told us.

"The approach of creating a universal and easy to automate reverse proxy, as a MITM actor, appeared to be the most natural direction. Despite some technical challenges, that emerged on this path, the overall result appeared to be really rewarding," he added.

"The tool that I wrote is sort of a game changer, since it can be used as a 'point and click' proxy, that allows easy phishing campaign automation with full support of the 2FA (an exception to this is a U2F protocol based tokens - which is currently the only resilient second factor).

"There are some cases that require manual tuning (due to obfuscated JavaScript code or, for example, HTML tag security attributes like ‚integrity'), but these are fully supported by the tool and will also be improved in the future releases," Duszyński told ZDNet.

An Amnesty International report released in December showed that advanced state-sponsored actors have already started using phishing systems that can bypass 2FA already.

Now, many fear that Modlishka would reduce the entry barrier to allow so-called "script kiddies" to set up phishing sites within minutes, even with far fewer technical skills required. Furthermore, this tool would allow cyber-crime groups to easily automate the creation of phishing pages that are easier to maintain and harder to detect by victims.

When we asked why he released such a dangerous tool on GitHub, Duszyński had a pretty intriguing answer.

"We have to face the fact that without a working proof of concept, that really proves the point, the risk is treated as theoretical, and no real measures are taken to address it properly," he said.

"This status quo, and lack of awareness about the risk, is a perfect situation for malicious actors that will happily exploit it."

Duszyński said that while his tool can automate the process of a phishing site passing through 2FA checks based on SMS and one-time codes, Modlishka is inefficient against U2F-based schemes that rely on hardware security keys.

Modlishka is currently available on GitHub under an open source license. Additional information is also available on Duszyński's blog.

Cybercrime and malware, 2019 predictions

More cybersecurity news:

Editorial standards