New Tool Automates Phishing Attacks That Bypass 2FA

A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA). From a report: Named Modlishka --the English pronunciation of the Polish word for mantis -- this new tool was created by Polish researcher Piotr Duszynski. Modlishka is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations. It sits between a user and a target website -- like Gmail, Yahoo, or ProtonMail. Phishing victims connect to the Modlishka server (hosting a phishing domain), and the reverse proxy component behind it makes requests to the site it wants to impersonate. The victim receives authentic content from the legitimate site --let's say for example Google -- but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.

I have the fix!

[mark_reh]

3 factor authentication!

It's the 7-minutes abs of IT!

Re:Highlights the importance of HTTPS and HSTS hea

[DarkOx]

The problem HSTS does not solve though is if I can get you to click my link to http://g0ogle.com/ (ok that one is taken but you get the idea) or https://g0ogle.com/.

HSTS won't let me MTIM your request to http://google.copm/ and inject my own content (because it plain text) or redirect you somewhere else because your browser will ignore that you asked for HTTP and do HTTPS and my cert won't pass muster. It will do nothing if I con you with a look-a-like domain. Which thanks those morons at LetsEncrypt I can easily obtain a certificate for gaining my a nice TLS connection that will appear secure in your browser and let me evade a lot of IPS systems and other protections on the network to sever up whatever malicious garbage I want.