Slashdot Mirror
New Tool Automates Phishing Attacks That Bypass 2FA (zdnet.com)
A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA). From a report: Named Modlishka --the English pronunciation of the Polish word for mantis -- this new tool was created by Polish researcher Piotr Duszynski. Modlishka is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations. It sits between a user and a target website -- like Gmail, Yahoo, or ProtonMail. Phishing victims connect to the Modlishka server (hosting a phishing domain), and the reverse proxy component behind it makes requests to the site it wants to impersonate. The victim receives authentic content from the legitimate site --let's say for example Google -- but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.
you need to control DNS at the point of end user connection like with ... HOSTFILES :)
This just highlights the importance of HTTPS and Strict Transport Security Header.
Preloaded HSTS would require the attacker to install a root certificate on the victims computer or compromise an already existing one.
If you have that amount of control you can do far more than bypass 2FA.
I think the more amusing question would be is that really true that you would need to do at least one of those things to succeed in attacking. I would say it depends on the messaging throughout of legitimate traffic and attacker traffic. Any system is hacksble if you give it enough time but maybe there isnt so much time in most lab testing scenarios for a variety of reasons
Useful tool for recording unencrypted traffic, but for anything that matters these days you have to find a way to present matching and trusted certificate.
/. my browser will check DNS record (i.e. slashdot.org) to an identifier in X.509 certificate (i.e. SAN contains slashdot.org). While DNS lookup could be hijacked, there is no way to hijack certificate without getting hold of a private key. If you simply proxy it, then you would only see encrypted traffic. If you substitute some other certificate, then you will have to get past browser certificate checks.
For example, when connecting to
3 factor authentication!
It's the 7-minutes abs of IT!
Create one!
This seems like it should be easy to defeat. Acting as a portal ought to come with some sort of detectable signature. A few extra ms, routing abnormalities?
You don't need HSTS if you pay attention or browser warns you about submitting credentials over unencrypted** connection.
** In this case, it is certificate based authentication, a different technology from encryption, that help to definitively established the identity of the server as part of TLS handhsake that saves your bacon, but the entire process colloquially known as encryption.
"an ease never seen before" >>> https://en.wikipedia.org/wiki/...
Modlishka is what IT professionals call a reverse proxy
A classic man in the middle attack. If you control the network between the client and server; being able to snoop on 2FA is the least of your worries. Using SSL might help, but if your DNS is compromised as well then your out of luck.
As a developer I use a reverse proxy whenever I need to view data being exchanged between different tiers of an application. Using SSL makes it harder, but there are ways of generating fake certs and using dns to mask where they really came from.
Again, if someone is able to inject themselves into your network you have much bigger problems.
Not sure why it needs a new name or what is really new.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The problem HSTS does not solve though is if I can get you to click my link to http://g0ogle.com/ (ok that one is taken but you get the idea) or https://g0ogle.com/.
HSTS won't let me MTIM your request to http://google.copm/ and inject my own content (because it plain text) or redirect you somewhere else because your browser will ignore that you asked for HTTP and do HTTPS and my cert won't pass muster. It will do nothing if I con you with a look-a-like domain. Which thanks those morons at LetsEncrypt I can easily obtain a certificate for gaining my a nice TLS connection that will appear secure in your browser and let me evade a lot of IPS systems and other protections on the network to sever up whatever malicious garbage I want.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Except that I am not going to hijack slashdot.org I am going to attempt to con you into going to slashdit.org instead. Which I will proxy to slashdot.org's login page so you don't think anything is wrong. You will most likely go ahead and authenticate (and I'll sniff the cookies along the way). I know you want give the URL a second look either because thanks to Google nobody displays address bars anymore. So if you click my initial link I totally own you.
Oh and mysite will have TLS and valid certificate too because LetsEncrypt is completely irresponsible and will robo sign anything domain you control even if its a totally obvious look-a-like phishing domain.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
not mind seeing malicious hacking become a death sentence. Ditto rape, child molestation, selling drugs to minors, and many others.
Sorry, but hacking is not as "ditto" simple as the other crimes you list here. Rape, child molestation, and selling drugs all usually require concrete physical evidence. I'm not going to face a fucking firing squad because some script kiddie was smart enough to spoof MY IP address when committing an electronic crime. And I'm not about to rely on some dinosaur judge rapping the gavel of fate to understand what IP spoofing is, and why I'm innocent. Fuck that legal nightmare.
A good password manager won't fill your google.com user ID and password into a g00gle.com web page. (I know LastPass won't; I'd assume others would balk at this, too.)
That is not entirely accurate.
Browser will stop you from clicking a submit-button on a form, but nothing stops an attacker from using XMLHttpRequests (ajax call back in the day) to pass credentials. Button could then be wired up to just to a regular HTTP GET.
There is that term again. He released a tool publicly to actively break security via MITM phishing. This is not how anyone serious about security would act. Call him a script-kiddie enabler.
That really depends. If you can compromise the browser or browser cache but nothing else, there is still value where you can modify DNS and/or root CA but still not record keystrokes and clicks (since some browsers *cough* Chrome *cough* now resolve independently from the OS/network).
Custom electronics and digital signage for your business: www.evcircuits.com
The attacker presents a login dialog to the user, and forwards that info to a genuine session.
The attacker presents a 2 factor dialog to the user, and forwards that info to a genuine session.
The attacker wins.
For bonus points, the attacker presents a second 2 factor dialog to the user, the user complies thinking they typed the code in wrong or the code timed out. The attacker uses that 2nd code to disable the 2 factor requirement on the account.
The attacker only needs to get a bit of malware on your box to install bogus certs / fuck your DNS.
"If they get malware onto your box, they've already won!" Until you clean the malware, use a different box, change a password, or they need another code from your dongle / phone / etc.
The main defense against this type of attack was that most people wouldn't be high value targets, so the phishing pages were merely storing credentials for later use (or sale). With expired codes from a dongle, app, or phone, those credentials are somewhat useless. (You can use them to scare the victim later in a ransom scheme, try to socially engineer an attack saying you lost the phone / dongle / whatever, try those same credentials elsewhere hoping they were reused, etc.)
Automating the full attack means that the code a user types in is used while it's still valid, and the attackers win. Without automation through to the end, only a high value target (or someone incredibly unlucky) would have an attacker actively watching and waiting to use one of those codes before it expired.
A defense against this, which never gained much traction unfortunately, is certificate pinning.
Fuck it. We're going to five factors.
Sure, we could go to 3 factors next, like the competition. That seems like the logical thing to do. After all, two worked out pretty well, and three is the next number after two. So let's play it safe. Why innovate when we can follow? Oh, I know why: Because we're a business, that's why!
Which any decent website will block due to weird traffic from set of ips or by behaviour blocking?
Am I missing something ?
>The West has grown very soft when it comes to crime
Have you SEEN our incarceration statistics? I mean, "for-profit prison industry" is pretty self-explanatory.
The only thing self explanatory about a for-profit prison system is the profit part. Prioritizing criminals to be incarcerated for life instead of championing the death sentence when justified IS a sign of going soft on crime. We may be known as the Incarcerated States of America, but that sure as hell doesn't equate to a country with exceedingly low crime rates. That for-profit criminal system we have isn't deterring jack shit. Hell, it's viewed by many as a place where you can get three square meals a day and a place to sleep, so bringing forth incarceration numbers is essentially meaningless when talking about how "hard" we are on crime. Even those awaiting a death sentence can enjoy decades of life behind bars, which tends to make "death" row a joke.
A letter by post with more code on it?
A CC sized device with a LCD display using a time limited code sent by post?
Domestic spying is now "Benign Information Gathering"
“Named Modlishka .. this new tool .. is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations”
Didn't a reverse proxy turn up in eps1.3__da3m0ns.mp4 of Mr Robot?
I think you got it all wrong with Let's Encrypt. Google could shut down the project overnight by revoking their root certificate. Microsoft, Firefox and Apple would soon follow. Yet, they haven't done so. I know the GP said mostly the same thing, but it is worth repeating: CAs are not trustworthy. If they make it difficult or inconvenient to get a certificate, their clients will simply flock to another CA which is more accommodating. Symantec once was one of the biggest CAs, and it took years of abuse before Google and Mozilla finally decided to revoke their root certificate.
(Posting anonymously because I'm on my phone without my password to log on.)
Neat idea, i have seen tools like that a few times a few years back. One other tool has a cute and fitting name for this relay proxy idea. Its called KoiPhish lol : https://github.com/wunderwuzzi...
The CA's were never dependable the for profit CAs never made the problem this bad:
https://it.slashdot.org/story/...
Basically LE took what was already a problematic and dubious trust system and cranked the problems up to 11. Analogy: Buying stuff from some guy on the street vs buying stuff from someone who is legally incorporated. Of course anyone can incorporate it does take much effort or prove much - but it takes some effort and means you at least have an address on file. Its a weak check but its 'something'. LE took that 'something' out of the signed SSL cert process.
I stand by my comments that LE does nothing useful. In fact it probably is negative security because it replaces cases where people would have used a self signed cert and verified the thumbprint over another channel. So it has if anything reduced the degree of authentication occurring. As far as just preventing eavesdropping when you don't know or trust the remote party anyway - their certs offer exactly nothing over a self signed one. Basically they just get around the "scare screens" when 99% of the sites using LE certs are really the ones you should be afraid of!
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
You're better off using the password manager in Chrome in my opinion; it even generates strong passwords now. LastPass has had several important security issues in the past few years.
Really? (google, google) Nope. Nothing I hadn't seen before, nothing really major, and all addressed very quickly when discovered. If I had a trivial master password, it might be an issue, but I don't.