2FA codes can be phished by new pentest tool

With every new hack, it’s becoming clearer that older forms of two-factor authentication (2FA) are no longer the reassuring security protection they once were.

The latest and perhaps most significant is that researcher Piotr Duszyński has published a tool called Modlishka (Polish: “Mantis”) capable of automating the phishing of one-time passcodes (OTPs) sent by SMS or generated using authentication apps.

On one level, Modlishka is simply a tool that sits on the same server as a phishing site capturing any credentials and 2FA tokens the user can be tricked into sending it.

But instead of cloning the phished site (Gmail, say), it behaves like a reverse proxy, cleverly feeding the user content from the real site to make an attack look more convincing.

The user thinks they are interacting with the real site because they are – Modlishka, meanwhile, proxies all of this without the user realising.

A video demo shows how Modlishka could be used to phish a Google user but it could just as easily be used against any service where the same authentication is in use.

Explains Duszyński:

This tool should be very useful to all penetration testers, that want to carry out an effective phishing campaign (also as part of their red team engagements).

Was it right to publish such a powerful tool? Arguably, yes. When used for its intended purpose – simulating phishing attacks against 2FA as part of a penetration or social engineering test – it offers an important insight into the vulnerability of this type of security.

As for being used by cybercriminals, there are probably plenty of other tools that can do a similar job given that phishing OTP codes isn’t a new technique.

Within days of one another in December, separate reports emerged of attacks where phishing had successfully been used to obtain OTP codes as part of targeted campaigns.

The first was against high-value US targets, while the second was documented by Amnesty International as having been part of a campaign to break into the email accounts of over 1,000 human rights campaigners.

Ambitiously, the latter attempted to crack email services such as ProtonMail and Tutanota, which have additional layers of security and log all accesses.

What to do?

OTP phishing has limitations, starting with the maximum 30-second window during which a captured code must be used before it is replaced by a new one. It also depends on being able to socially engineer the target user into visiting a phishing site first.

If you use a password manager to enter credentials, it won’t trigger on a phishing domain, which can be taken as a suspicious sign.

The best defence, however, is not to abandon OTP 2FA but move to something more secure, which almost all big sites now offer as an option.

As Duszyński says:

Currently, the only way to address this issue, from a technical perspective, is to entirely rely on 2FA hardware tokens, that are based on U2F protocol.

U2F tokens can be bought from Yubico but also direct from Google in the form of the Titan key. Because these are based on public-key encryption, they don’t transmit phishable codes.

Ideally, you need to buy and enrol two (one being a backup), which could cost around £40 ($50). We’d argue the investment is well worth it given how many sites you can secure with one key.

If you think this type of security sounds expensive, consider the cost of a phished email, Facebook or Twitter account that you can’t access or reset.