This authentication method might not be as secure as we thought
Piotr Duszynski, a researcher specialist on network
security born in Poland, recently announced the launching of a tool called “Modlishka”
(Mantis in Polish), which, according to the expert, is a penetration testing
tool that allows users to deploy phishing campaigns automatically, for example.
He even mentioned that this tool could compromise accounts of different online services
with two-factor authentication (2FA) enabled.
Modlishka operates between the user and the
email provider of the user’s choice, such as Gmail, Outlook or Yahoo, mentions
Duszynski. The victim then connects to the Modlishka server, which generates
requests to the websites to be spoofed, so the victim won’t be able to found
differences between the real site and the spoofed one. The network security expert claims that Modlishka takes
the content directly from the spoofed site, so a malicious user would not have
to waste time creating new templates for each attack.
When the copy of the site is created, the
victims interact with authentic content of the website; however, any
interaction will be registered on the Modlishka server.
Once the site has been supplanted, the victim
will interact with authentic content from the legitimate website. The victim
can buy online, however, any interaction the victim enters, will be logged on
the Modlishka server; this could lead to some variant of identity fraud and
other malicious activities.
Any user (regardless of their purposes) who
wants to use this tool, just have to configure the domain in which they want to
host their phishing campaign, as well as a valid TLS certificate. Users must
also allow the impersonated website that the victim visits to operate with a
‘secure’ HTTPS connection; otherwise, the user will be alerted about the
absence of an HTTPS connection, reducing the chances of the attack being
successful.
Finally, users will be required to run a
configuration file in the phishing domain that redirects the victim to the
legitimate website at the end of the phishing operation. Modlishka is currently
available on GitHub under an open source license.
According to the expert in network security,
using this tool is as easy as “target and click”, in addition, in the case of
open source software multiple malicious users may begin to test this tool in
various phishing.
