Posted on January 9, 2019 at 2:09 PM
Phishing attacks were always a large problem that usually took advantage of unsuspecting internet users. Hackers and scammers were known for using them to obtain other people’s login credentials and other data, which would often lead to a vast number of other problems.
Two-factor authentication (2FA) was invented as a response, and for a time, it provided users with at least some levels of protection. This method would usually warn an account owner if anyone attempted to log in from an unknown device, and the real account owner would have the ability to stop the attack. At the very least, they would be warned of it in real time.
However, in recent years, even this method has starting to become unreliable. Now, thanks to a new tool developed by a security researcher, not only will phishing attacks become automate, but two-factor authentication will likely no longer pose an obstacle to hackers and scammers.
The new penetration tool
The new tool’s name is Modlichka, which comes from a Polish word for mantis. It was created by Piotr Duszyński, a Polish security researcher, and the way it works can be described as a reverse proxy with additional traffic-handling modifications.
According to researchers, the tool, when deployed, stands between users and a website that is targeted. Since phishing attacks mostly work via email, most of the targeted websites will likely include email services, such as Gmail, ProtonMail, Yahoo, and others. Unsuspecting victims who aim to connect to the service would be redirected to Modlishka server, and only then would they end up at the real website.
Usually, the victim would quickly realize that something is not right, but this time, it may not be the case. This is because the content they would receive would still come from the real email service. However, all traffic would go through Modlishka server, which will record it in the process, together with any passwords that the victim might use to log into their account.
Attackers can steal the victims’ login credentials immediately, which will allow them to access these accounts and start legitimate sessions.
Due to the fact that no fake websites are involved, the process is highly stealthy, and attackers do not have to bother with making the fake site seem accurate enough. All that they really need is a phishing domain name and a TSL certificate which would prevent users from realizing that they are not having an HTTPS connection. The last step is the creation of a config file that will lead the victim to the real email service before they spot that something is going on.
Phishing attacks were never properly addressed, claims tool’s creator
According to the tool’s creator, Modlishka would work as an easy-to-automate point-and-click system that would barely require any maintenance. The researcher also stated that he created it with a goal to eliminate the need for making a new fake web page for his phishing campaigns. The easiest way to achieve this appeared to be to create a reverse proxy, and it took him less than a year to complete the tool.
The researcher has also admitted that the tool is a serious game changer and that the only thing that can currently resist it includes U2F protocol based coins. However, he also mentioned that some rare cases might require tool user’s intervention, where the tool will have to be tuned manually. However, this should also be improved in the future, which will likely make the tool even more effective.
Recent reports have shown that phishing attacks have been becoming better at bypassing two-factor authentication for a while now, but Modlishka tool will certainly increase the danger. Phishing campaigns will become faster, more effective, and easy to conduct. With this in mind, many were confused as to why would a security researcher release such a tool in the first place.
His answer was that phishing attacks were a threat for a long time now, but the world has mostly treated it as a theoretical issue. As a result, there were no real efforts to address the problem. Now that the problem has grown to this size, maybe things will change. The tool is already available on GitHub.