Phishing tool that bypasses Gmail 2FA released on Github

The reverse proxy 'Modlishka' tool is designed to make phishing attacks as "effective as possible"

A security researcher has released a tool that can bypass a host of two-factor authentication (2FA) schemes widely used across platforms such as Gmail and Yahoo.

Polish researcher Piotr Duszyski published his tool, which uses a reverse proxy method, on GitHub alongside a step-by-step guide outlining how it can be used in a phishing scam to scalp user credentials and 2FA codes in one example against Google's security barriers.

Advertisement - Article continues below

When deployed, the tool places a server named Modlishka between a phishing target and a secure platform such as Gmail, which phishing victims unwittingly connect to in order to enter login details.

In a hypothetical phishing campaign, a targeted user would encounter a malicious email containing a link to the proxy server mimicking a Google login procedure. The user would then enter their user name and password, and then the 2FA code (received for instance via text message), all of which would be collected and held on the proxy server.

To make a success of the attack, a malicious actor would be required to monitor this process in real-time, and enter the 2FA code before it expires to gain entry.

Due to its simplicity, an attacker hypothetically using Modlishka to orchestrate a phishing campaign wouldn't need to recreate any websites themselves as is commonly done. All that's required is a phishing domain and a valid TLS certificate.

"So the question arises, is 2FA broken?" Duszyski said. "Not at all, but with a right reverse proxy targeting your domain over an encrypted, browser trusted, communication channel one can really have serious difficulties in noticing that something is seriously wrong.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Add to the equation different browser bugs, that allow URL bar spoofing, and the issue might be even bigger. Include lack of user awareness, and it literally means giving away your most valuable assets to your adversaries on a silver plate."

Duszyski has already successfully tested his tool on platforms such as Gmail and Yahoo.

The tool, which he says is for penetration testing and educational purposes only, casts doubt on 2FA as an effective layer of protection against intruders and malicious actors. Modlishka can, in particular, be used to make phishing campaigns "as effective as possible".

The only way to resolve this issue from a technical perspective, he added, was to rely on hardware tokens based on the universal 2nd-factor protocol (U2F); that is hardware devices built specifically to serve as authentication modules that do not require users to enter codes manually.

The fallibility of common 2FA routines has been exposed in recent months, particularly via a massive data breach that social news aggregator Reddit sustained last year as a result of weaknesses in its security.

Advertisement - Article continues below

After intercepting a handful of its employees' SMS-based 2FA setup and gaining access to their accounts, a malicious actor made away with a trove of user credentials, including email addresses.

Reddit's CTO Chris Slowe said following the incident that the company realised text message-based 2FA is "not nearly as secure as we would hope" and recommended that everybody moved to token-based 2FA.

Meanwhile, a strain of malware uncovered last year, known as Roaming Mantis, was reported to base Android-oriented attacks on a mechanism that cracks 2FA and hijacks users' Google accounts.

Security expert Graham Cluley told IT Pro the tool could work in practice, but that users can protect themselves against a Modlishka-centric phishing campaign by using hardware-based 2FA, or a password manager. 

"Reading about Modlishka it sounds like it would work, proxying the content of the genuine site to make a phishing site very believable and intercepting any information entered, such as passwords and 2FA codes," he said.

Advertisement - Article continues below

"2FA codes tend to be time-restricted, often changing every 30 seconds. As such, an attacker may have to be monitoring the phish in real-time to maximise the account access.

"So, it's an impressive demonstration - but users should continue to use password managers, unique passwords, and enable 2FA wherever possible."

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020
Labour Party donors caught up in Blackbaud data breach
data breaches

Labour Party donors caught up in Blackbaud data breach

31 Jul 2020