A Polish cybersecurity researcher has released an automated tool designed for pen testers that has the ability intercept data in real-time and even swipe 2FA credentials, a move that has some in the industry concerned that it could be used for nefarious purposes.
Piotr Duszyński last week released the open-source tool, named Modlishka which means Mantis in Polish, on Github he said as a way to raise awareness and to enable pen testers to launch effective phishing campaigns as part of red team engagements and in no way endorses the malicious use of his tool. However, the fact that Modlishka makes phishing attacks more effective also makes it a perfect weapon for a cybercriminal.
Tim Helming, director of product management, DomainTools. Said what Duszyński did is quite different from releasing an exploit or vulnerability after a patch has been found possibly opening the door for a major data breach.
“Unfortunately, attackers are going to be delighted by this tool, and there is little doubt that they can and will use it, and there is not a quick path toward mitigation,” said Helming, adding, “The risk here is that phishers may be able to deceive a larger tranche of the population than they ordinarily can--those who are security conscious and use two-factor authentication for critical accounts. This will give the successful attacker access to all kinds of information and/or networks they should not be able to reach.”
Modlishka is a reverse proxy that sits on a server that hosts a phishing domain that resides between a victim’s cloud-based email account and the victim’s device. The attacker spoofs the target domain, such as a VPN or webmail portal which then sits on the server, and then as the victim sends information through to the fake domain the tool is able to track and log the content. However, it does not set up a fake version of the site, but in fact allows the real site to send information to the victim which is intercepted by Modlishka.
“This is the stage of this attack that security teams can mitigate (via early detection of suspicious registrations) and end users can also mitigate (by being trained to look carefully at the URL of any link that is prompting for authentication),” Helming said.
The reverse proxy also asks the victim for 2FA tokens, which if acted upon quickly enough can be used to log into the target’s system, ZD Net reported.
In his blog on the tool, Duszyński said Modlishka does not prove that 2FA is broken just that with the right tools, social engineering and the general lack of awareness about these problems it can be outsmarted.
“So the question arises… is 2FA broken? Not at all, but with a right reverse proxy targeting your domain over an encrypted, browser trusted, communication channel one can really have serious difficulties in noticing that something is seriously wrong. Add to the equation different browser bugs, that allow URL bar spoofing, and the issue might be even bigger,” he said.
Duszyński suggested for those who want to avoid any issue with 2FA to switch to universal two-factor authentication that is not affected by a Modlishka-like tool.