Two-factor authentication as means for securing access to services and sites is one of the recommended approaches, especially when dealing with sensitive contents and online banking. It is deemed as a safe approach as it makes hacking the accounts harder. To this date it was very difficult to overcome, intrusions had to be made from either the computer host or the service. However, a new open-source tool called “Modlishka” has been demonstrated to be able to bypass most schemes using phishing tactics.
Two-factor Authentication Bypassed via Phishing Strategies Orchestrated with Modlishka
A new open-source tool called Modlishka has made headlines by demonstrating how it can bypass two-factor authentication sites and services. This is not done by launching exploits but rather a phishing campaign. This is the approach chosen by the developer behind the tool as it has proven to be very effective especially when a larger number of targets are intended.
Intrusions to online services such banking services and emails are very hard to do against accounts that are secured with two-factor authentication. This is the simultaneous use of two methods of login that are used in parallel to prove that the users are the legitimate owners. Common methods include the use of a PIN generation device or a mobile authenticator along with the required username/email address and password combination.
Potential malicious users need to have a phishing domain name on which to host the server and a valid TLS certificate. The certificate is required in order to ensure that the users continue browsing the site, if it is not found then a security error will be displayed to the browsers. When the tool is configured correctly it will impersonate popular services such as Google and collect the credentials in real-time. As soon as they are harvested they will be placed in the log files.
The power of phishing sites is evident: a recent incident happened in December when Amnesty International identified several well-crafted phishing sites for the popular email services Tutanota and ProtonMail. Google and Yahoo were also targeted in these attacks alongside the secure email services.
The reason why this tool is so powerful is that it uses several different types of technologies and methods:
- Phishing tactics — The orchestration of fake landing pages can be very effective especially with users who do not enough attention to the domain name. The use of certificates makes the browser believe that a legitimate site is accessed. Other strategies that can be used to increase the chances of successful infection is when using shortened URLs.
- Browser Bugs — Over the years we have witnessed various software vulnerabilities that allow scripts to spoof URL addresses.
- Reverse Proxy Use — The use of this technology by means of web server configuration can redirect the targets to the fake landing pages.
So far we have not received complaints of Modlishka abuse; however, we assume that such campaigns will take place. Two-factor authentication still remains a recommended approach when securing accounts and data however users should be very careful when entering in their credentials. The Modlishka tool demonstrations shows that a perfect copycat of a legitimate landing page along with the two-factor authentication requisites.
In the FAQ section of the tool the following note is found:
2FA isn’t broken. At the end it is all about ‘social engineering’ that you will have to be stay alert about. Which can be e-mail, phone, post or face2face based. If you don’t want to always verify if the domain name in the URL address bar of your browser isn’t somehow malicious or worry if there’s yet another URL spoofing bug, then consider switching to U2F protocol.