New Tool Automates Phishing Attacks That Bypass 2FA

A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA). From a report: Named Modlishka --the English pronunciation of the Polish word for mantis -- this new tool was created by Polish researcher Piotr Duszynski. Modlishka is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations. It sits between a user and a target website -- like Gmail, Yahoo, or ProtonMail. Phishing victims connect to the Modlishka server (hosting a phishing domain), and the reverse proxy component behind it makes requests to the site it wants to impersonate. The victim receives authentic content from the legitimate site --let's say for example Google -- but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.

Highlights the importance of HTTPS and HSTS header

[fuzzyf]

This just highlights the importance of HTTPS and Strict Transport Security Header.
Preloaded HSTS would require the attacker to install a root certificate on the victims computer or compromise an already existing one.

If you have that amount of control you can do far more than bypass 2FA.

I have the fix!

[mark_reh]

3 factor authentication!

It's the 7-minutes abs of IT!

Re:I have the fix!

[bob4u2c]

3 Factors relate to the following categories:

1. Something you know: username, password, pin number, etc.

2. Something you have: token generator, cell phone, computer, etc.

3. Something you are: your fingerprint, eye scan, hand geometry, voice print, etc.

I often hear people say that using CAPTCHA's or having to answer 3 to questions are two factors, but those still fall under the first category, something you know. I also hear people say to use a fingerprint or something, can't fake that. The problem though is you can, and once exposed you can't change it. Cell phones are also a problem where sites will send you a token, often those tokens are sent in plain text.

The issue of course is that all these boil down to some data the computer has to pass along. Your token is just a series of bits, your fingerprint is saved as a series of measurements and sent as bits, etc. These are all sent as part of the authentication request, all vulnerable to snooping.

Your best bet is still a password and some one time token generator. You may be able to intercept it, but once you can no longer snoop on my network I can logout and the token you snooped on won't work again.

Re:Highlights the importance of HTTPS and HSTS hea

[DarkOx]

The problem HSTS does not solve though is if I can get you to click my link to http://g0ogle.com/ (ok that one is taken but you get the idea) or https://g0ogle.com/.

HSTS won't let me MTIM your request to http://google.copm/ and inject my own content (because it plain text) or redirect you somewhere else because your browser will ignore that you asked for HTTP and do HTTPS and my cert won't pass muster. It will do nothing if I con you with a look-a-like domain. Which thanks those morons at LetsEncrypt I can easily obtain a certificate for gaining my a nice TLS connection that will appear secure in your browser and let me evade a lot of IPS systems and other protections on the network to sever up whatever malicious garbage I want.

Re:Looks like a man in the middle attack

[apoc.famine]

Didn't read the summary, eh?

All of the MITM work has been done. You just snag the github code, deploy it on a server, tell it a URL to impersonate, and then get people to go to that serer. It's script-kid ready. You don't need to know how to code to deploy this. You don't even really need to know much about how the internet works.

Of course, the more you understand, the more effective this could be. There are enough dumbasses out there that if they click to a page that's identical to the one they are looking for, despite the URL being wrong, they will still log in. Everything else that you could do to make the URL look better just ups the number of people that might log in.

The hard work is done. It's basically a MITM app that you deploy and feed a URL, and you're up and running.

Re:Useful tool, but you still have to get past PKI

[DarkOx]

Except that I am not going to hijack slashdot.org I am going to attempt to con you into going to slashdit.org instead. Which I will proxy to slashdot.org's login page so you don't think anything is wrong. You will most likely go ahead and authenticate (and I'll sniff the cookies along the way). I know you want give the URL a second look either because thanks to Google nobody displays address bars anymore. So if you click my initial link I totally own you.

Oh and mysite will have TLS and valid certificate too because LetsEncrypt is completely irresponsible and will robo sign anything domain you control even if its a totally obvious look-a-like phishing domain.