New Phishing Kit Allows Bypassing Two-Factor Authentication with Ease

Attackers have a new phishing tool in their arsenal, and it’s a powerful one. A penetration tester released an open source toolkit that can be used to easily set up phishing attacks that can bypass two-factor authentication (2FA).

Dubbed Modlishka (Polish for mantis), the toolkit acts as a reverse proxy that can be deployed on a server hosting a phishing domain. When the victim accesses the phishing site, the proxy will make a backend connection to the targeted domain and will serve all of its content, including the login form.

Reverse proxies are not a new invention, but Modlishka, which was created by penetration tester and developer Piotr Duszyński, was specifically designed for phishing and has options and plug-ins to enhance such attacks.

For example, it allows attackers to deploy a certificate on the phishing domain and then the proxy will handle cross-origin TLS traffic flow from the victim’s browser to the target domain. The responses from the targeted sites can also be tweaked through options and the attacker even has the option to inject JavaScript payloads into the traffic.

The tool has support for the majority of 2FA authentication schemes by design. Since all content is loaded from the target website, it includes the two-factor authentication forms, allowing attackers to collect the tokens in real time. The reverse proxy technique also makes the job easier because attackers don’t have to create”template” pages for the targeted websites, as with other kits.

Duszyński built Modlishka for penetration testers and does not endorse unauthorized attacks, but as with all open source tools, there’s nothing stopping attackers from using it.

“Over many years of my penetration testing experience, I have found ‘social engineering’ the easiest and most effective way to get a proper foothold into the internal network of my customers,” the researcher said in a blog post. “I know that many APT groups think the same… This is all because one definitely does not need to burn a 0day exploit/s for all of those sophisticated top-notch security defenses that are protecting the perimeter, when often just a few e-mails or phone calls will do just perfectly fine to compromise internal infrastructure and companies (sic) sensitive data.”

The one case where Modlishka doesn’t work is with 2FA schemes that exclusively rely on hardware tokens based on the U2F protocol. Those devices verify the identity of the sites they generate tokens for and transmit them over a secure channel.

As phishing becomes easier to pull off and more difficult to spot, it’s increasingly important for companies to train their employees on how to identify such attacks and other social engineering attempts.

Vulnerabilities Tripled in WordPress Ecosystem Last Year

The number of vulnerabilities found in the WordPress ecosystem grew 3x in 2018 compared to the previous year, according to a report from security firm Imperva.

The vast majority of the 542 vulnerabilities—98 percent—were located in third-party plug-ins. That’s not surprising since anyone can create a WordPress plug-in and overall their code quality is worse than the core WordPress code.

Even though taken individually, plug-in vulnerabilities don’t pose a threat to as many users as vulnerabilities in WordPress itself, their strength is in numbers. With a large number of vulnerabilities in a large number of plug-ins, attackers can quickly compromise a large number of sites.

Also, vulnerabilities in plug-ins are not patched as quickly as vulnerabilities in the core WordPress code, giving attackers a larger time window to use them.

According to Imperva’s data, more than half of all web application vulnerabilities have public exploits available and more than a third don’t have a patch.

That said, the number of vulnerabilities by itself is not a very good indicator of risk. For example, despite a much smaller number of flaws, Drupal was an attacker favorite last year. That was primarily the result of two highly critical vulnerabilities, CVE-2018-7600 and CVE-2018-7602, which also have been dubbed Drupalgeddon2 and Drupalgeddon3.

“The simplicity of these Drupal vulnerabilities and their catastrophic impact made them a weapon of choice for many attackers,” the Imperva researchers said in their report. “In fact, Imperva detected and blocked more than half a million attacks related to these vulnerabilities during 2018.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin