With every new hack, it’s becoming clearer that older forms of two-factor authentication (2FA) are no longer the reassuring security protection they once were.
The latest and perhaps most significant is that researcher Piotr Duszyński has published a tool called Modlishka (Polish: “Mantis”) capable of automating the phishing of one-time passcodes (OTPs) sent by SMS or generated using authentication apps.
On one level, Modlishka is simply a tool that sits on the same server as a phishing site capturing any credentials and 2FA tokens the user can be tricked into sending it.
But instead of cloning the phished site (Gmail, say), it behaves like a reverse proxy, cleverly feeding the user content from the real site to make an attack look more convincing.
The user thinks they are interacting with the real site because they are – Modlishka, meanwhile, proxies all of this without the user realising.
A video demo shows how Modlishka could be used to phish a Google user but it could just as easily be used against any service where the same authentication is in use.
This tool should be very useful to all penetration testers, that want to carry out an effective phishing campaign (also as part of their red team engagements).
Was it right to publish such a powerful tool? Arguably, yes. When used for its intended purpose – simulating phishing attacks against 2FA as part of a penetration or social engineering test – it offers an important insight into the vulnerability of this type of security.
As for being used by cybercriminals, there are probably plenty of other tools that can do a similar job given that phishing OTP codes isn’t a new technique.
Within days of one another in December, separate reports emerged of attacks where phishing had successfully been used to obtain OTP codes as part of targeted campaigns.
The first was against high-value US targets, while the second was documented by Amnesty International as having been part of a campaign to break into the email accounts of over 1,000 human rights campaigners.
Ambitiously, the latter attempted to crack email services such as ProtonMail and Tutanota, which have additional layers of security and log all accesses.
What to do?
OTP phishing has limitations, starting with the maximum 30-second window during which a captured code must be used before it is replaced by a new one. It also depends on being able to socially engineer the target user into visiting a phishing site first.
If you use a password manager to enter credentials, it won’t trigger on a phishing domain, which can be taken as a suspicious sign.
The best defence, however, is not to abandon OTP 2FA but move to something more secure, which almost all big sites now offer as an option.
As Duszyński says:
Currently, the only way to address this issue, from a technical perspective, is to entirely rely on 2FA hardware tokens, that are based on U2F protocol.
U2F tokens can be bought from Yubico but also direct from Google in the form of the Titan key. Because these are based on public-key encryption, they don’t transmit phishable codes.
Ideally, you need to buy and enrol two (one being a backup), which could cost around £40 ($50). We’d argue the investment is well worth it given how many sites you can secure with one key.
If you think this type of security sounds expensive, consider the cost of a phished email, Facebook or Twitter account that you can’t access or reset.
19 comments on “2FA codes can be phished by new pentest tool”
I don’t get your point on U2F. This is a man in the middle attack. Neither 2FA nor U2F will prevent a man in the middle attack.
Both U2F and WebAuthn – the protocols used by YubiKeys, Titans et al for 2FA – have features to prevent MitM attacks. No such features exist in a 2FA code sent via SMS or generated by an authenticator app and manually typed in.
His point still stands. What the article describes is a man in the middle attack, not phishing.
The tool works as part of the phishing site, under the domain of the phishing site. It operates in a Man-in-the-Middle-ish way but it does not attempt to use the domain or certificate of the site it’s masquerading as.
A key using WebAuthn, for example, associates private keys with specific domains and will not use your private key for real site with a phishing site on a different domain.
U2F does give protection from phishing as the information exchange uses the domain name when generating the public key information and hence if the domain name is wrong the keys sent are wrong.
I came across a couple of blog posts [on avonet.com] a few weeks ago when I was looking into this stuff, one of them explains how U2F works and another gives some examples of how it can be used.
At no point was it MitM attack. And there are other techniques to prevent those (like HSTS or HPKP security headers). Anyway, U2F would add an extra layer of security comparing to any other methods, as it won’t let the user talk over an insecure channel (if somehow an attacker could perform SSLstrip-MitM).
It’s actually really good that tools such as evilginx2 or modlishka are gaining popularity as more people will realise non-U2F 2FA is a dead-end already 🙂
Thank you for the great writeup, but can you expand on what the features are so that we can understand the alternatives?
“Defense” is spelled with an “S” not a “C”. May want to update the content on this post.
Naked Security authors use their native spellings when writing. When John (British English) writes it, it’s defence.
Hmm to build Defense or de fence? A bit of a presidential question.
Sounds like browsers will have to do a better job of showing the certificate for sites. From the description above it sounds like it is not passing the destination cert or it would be a true secure session. I’m sure the phishing site is serving a cert that matches their own page – to get the pretty green lock, but it’s not secure to the sight the user thinks they are on. Certificates should be presenting usable data to the end user and not a color lock that doesn’t represent what is actually happening, only implied by having a green lock.
If the fake domain fools you then I have to believe the real certificate issued to that fake domain won’t ring any alarm bells.
Certificates have always been a red herring for phishing IMO, and pretty soon every site will have one. I’d rather hang my hat on WebAuthn, the work the browser vendors are doing to figure out which bits of the URL you need to see to make good decisions, and a password manager.
Smart individuals will always figure out a way to get around things. Could the Hydro Raindrop 2fa built on blockchain actually be the best 2fa alternative to Google Authenticator?
Wow remind me to change my 2FA to 3FA with the UFA2 protocol
New tool… Really? Did you forget about evilginx2 which does exatly the same and is available for quite some time now
Funny I thought the token codes were only accepted once, and couldn’t be used again.
Yes this is true, but if the code is supplied to a bogus website the software can resupply the OTP alongside your captured token to access the site in the background or simply hijack your session token when you think you have logged out.
The net result is the automated software (or “man in the middle”) can then change your password or disable 2fa authentication, or just download confidential information.
Smart individuals will always figure out a way to get around things