Most of us consider using two-factor authentication as an added security measure to protect our accounts, but it has been proved otherwise. An automated tool developed for pen testers has been released which could intercept data in real time and can bypass 2-factor authentication. This open-source tool was released last week in Github by a Polish cybersecurity researcher, Piotr Duszyński and was called Modlishka which means Mantis in Polish.
The researcher released it in order to raise awareness and let pen testers to launch effective phishing campaigns and has no aim to endorse the malicious use of his tool. When the tool can handle automated phishing attacks, the fact is that it can be made a perfect weapon for a cyber attacker.
Modlishka along with bypassing 2FA, also stores the user credentials in its backend panel which could be accessed by an attacker. The main risk here is that the phishers will be able to trick more people than they normally do especially the security conscious people who uses 2FA for their important accounts. The attackers will be able to access all types of information which they were not allowed to access before.
Modlishka behaves like a reverse proxy that sits on the server hosting the phishing domain residing between the victim’s cloud-based email account and the victim’s domain. The target domain is spoofed by the attacker and when the victim communicates through to the fake domain, the tool tracks and log the content. Instead of setting up a fake site, the real site sends the information to the victim which is interrupted by Modlishka.
Duszyński reported in his blog that Modlishka does not prove that 2FA is broken, but using right tools, social engineering and due to lack of awareness, it can be outsmarted. He also suggests that those users who wishes to avoid issue with 2FA can switch to universal two-factor authentication which remains unaffected by a Modlishka-like tool.