- A security researcher recently released a hacking tool that takes phishing attacks to a whole new level: It both automates phishing attacks and breaks through two-factor authentication functions with ease.
Modlishka was created by Piotr Duszynski is a reverse proxy, modified to handle traffic from login pages and phishing campaigns. It’s launched between the user and targeted website. And victims are connected to the Modlishka server through a phishing domain.
While traditional phishing campaigns are masked to look as close to the target website as possible (i.e. emails that look nearly identical to corporate addresses), Modlishka brings all victims through legitimate site passes that are recorded by the tool.
All passwords entered by the user are automatically logged into Modlishka’s backend. Simultaneously, the tool prompts users to enter their two-factor authentication. If a hacker collects these tokens in real-time, they can use them to log into the victim’s accounts and establish a legitimate session.
Duszyski provided a video to demonstrate the ease in which the tool operates – without templates – to gather credentials and any 2FA. All hackers need to leverage the tool is a phishing domain to host on Modlishka’s server and a valid TLS certificate.
Lastly, the hackers can establish a simple configuration to direct victims to legitimate sites, before they notice the phishing domain.
“I hope that this software will reinforce the fact that social engineering is a serious threat, and cannot be treated lightly,” Duszynski wrote. “So the question arises: is 2FA broken? Not at all, but with a right reverse proxy targeting your domain over an encrypted, browser trusted, communication channel one can really have serious difficulties in noticing that something is seriously wrong.”
“Include lack of user awareness, and it literally means giving away your most valuable assets to your adversaries on a silver plate,” he continued. “At the end even the most sophisticated security defense systems can fail if there is no sufficient user awareness and vice versa for that matter.”
Currently, the only workaround for this threat is the use of hardware two-factor authentication, based on the U2F protocol, along with the right user awareness, Duszynski wrote.
The hacking tool’s release follows an Amnesty International report that found state-sponsored cybercriminals have already begun using phishing tools capable of bypassing 2FA.
Given the steady healthcare breaches reported in the sector caused by phishing attacks and recent reports showing user authentication to be the most common cyber risk for health systems and hospitals, this new tool drastically increases risk.
Health organizations can reduce email risk by taking those decisions away from users by leveraging technology and supporting employees to meet security best practices.