2 Factor Authentication may not be as secure as you think, as a new tool has been released that can bypass the security feature.
Polish researcher Piotr Duszynski released a tool at the start of the year called ‘Modlishka’, which translates to English as ‘Mantis’. The penetration testing tool allows users automate phishing campaigns, and can even breach accounts that have 2 Factor authentication applied as a security measure.
Modlishka operates in-between the user and the users chosen email provider such as: Google, Outlook, Yahoo.
Victims then connect to the Modlishka server, which then generates requests to the websites it wants to impersonate to provide the victim with a legit experience. Because Modlishka takes the content from the legitimate website it wants to impersonate, it means that malicious users do not have to spend lengthy periods of time finetuning and updating templates.
Once the site has been impersonated, the victim will interact with authentic content from the legitimate website. The victim may be shopping online, however all of the interactions, form entries, that the victim completes will be recorded on the Modlishka server.
In this case, victims may be inserting personal data into online forms, and logging into authenticated areas will be recorded on the servers backend panel, compromising accounts. Potentially resulting in fraud, and other malicious activity.
Malicious users who wish to utilise this tool, simply need to configure a domain that they wish to host the phishing campaign on, as well as a valid TLS certificate. Allowing the impersonated website that the victim is visiting operates on a HTTPS “secure” connection – otherwise users will be alerted about the lack of a HTTPS connection resulting in many users not clicking through to the phishing domain.
Finally, the malicious users will be required a config file to be executed on the phishing domain that redirects the victim to the legitimate website at the end of the phishing operation.
With such a tool being open source and being available to anyone, it is inevitable that malicious users will begin testing the tool within their campaigns. Modlishka is easy to use, and those with little technical skills will be able to operate the tool. Duszynski described the tool as a “point and click”.