An open source toolkit dubbed Modlishka (Polish for mantis, a predatory insect) can be configured to launch phishing attacks capable of bypassing two-factor authentication (2FA), Piotr Duszyński, a penetration tester who created it and posted it to GitHub, wrote in a blog post.
Modlishka is a reverse proxy that sits between the user and a target website on a server hosting a phishing domain. When the user accesses the phishing site, the proxy makes a back-end connection to the targeted domain and will serve all of its content, including the login forms.
“I hope that this software will reinforce the fact that social engineering is a serious threat, and cannot be treated lightly,” Duszyński said. In his blog, he contends that Modlishka demonstrates that with the right tools, social engineering and the lack of awareness about cybersecurity issues, 2FA can be outmaneuvered.
“Over many years of my penetration testing experience, I have found ‘social engineering’ the easiest and most of effective way to get a proper foothold into the internal network of my customers,” Duszyński wrote. “I know that many APT groups think the same… This is all because one definitely does not need to burn a 0-day exploit/s for all of those sophisticated top-notch security defenses that are protecting the perimeter, when often just few e-mails or phone calls will do just perfectly fine to compromise internal infrastructure and companies' sensitive data. Modlishka was written with an aim to make that second approach (phishing campaigns) as effective as possible.”
2FA isn’t broken, Duszyński said, “but with a right reverse proxy targeting your domain over an encrypted, browser trusted, communication channel one can really have serious difficulties in noticing that something is seriously wrong.” At this point, the only way for users to address the issue is to use universal second factor open authentication standard (U2F) tokens. Duszyński also recommends using password managers and raising awareness of current social engineering techniques.
Why did Duszyński release Modlishka? To tangibly prove his point and prod cybersecurity defenders to understand the risk to 2FA Modlishka poses, he said. “I believe that without a working proof of concept, that really proves the point, the risk is treated as theoretical, and no real measures are taken to address it properly. This status quo, and lack of right awareness about the risk, is a perfect situation for malicious actors that will happily exploit it,” he wrote.