Modlishka – The New Phishing Tool that Targets 2FA

Polish security researcher Piotr Duszynski recently released a penetration testing tool called Modlishka. This tool offers its users the ability to spoof Two Factor Authentication. Previously hailed as the security king, the recent months have shown that 2FA might not be as secure as you’d hope. Read on to understand what Modlishka is/does and how you should proceed with your account security.

Modlishka - The New Phishing Tool that Targets 2FA
Modlishka – The New Phishing Tool that Targets 2FA

What is Modlishka?

Modlishka is a reverse-proxy tool that allows an attacker to trick a target into giving them their password and their 2FA code.

Let me explain.

In other words, it’s a proxy that stands between a user and their intended site. Instead of showing the target a completely spoofed website, the proxy shows the user actual content from the real website. This makes it very hard for anyone to figure out that they’re being scammed.

Modlishka intercepts all of the traffic going back and forth from the user to the website. In other words, an attacker can see the password and the authentication code a user puts in, and access the victim’s real account in real-time.

The tool is open-sourced and can be downloaded off of Github, and while it is targeted to White Hat security researchers there is nothing stopping a hacker from using the tool as well.

Should I Stop Using 2FA?

Absolutely not.
Yes, 2FA can be compromised, but that doesn’t mean that a better option is to simply not have any additional security feature. Think about it, if I tell you that a thief can cut through your home’s front lock with a welding tool, does that mean that your front door’s lock isn’t important? No. As is, 2FA is still an industry standard, and there are things you can do to solidify your authentication.

Security researchers still highly recommend using 2FA. They do agree that the feature isn’t the end-all to all future security, but it is a step in the right direction.

In general, all online security measures go through a vicious cat-and-mouse game between Security experts and bad actors. It’s always a race to find a vulnerability to either fix or abuse. This shouldn’t discourage you from using the security features the experts suggest.

It should, however, make it very obvious that internet users have an obligation to stay as informed about their online security as possible. Gone are the days when we can just use a service without doing our own research, and being informed about what’s going on in the e-world is the most important step you can take to protect your security.

How to Keep My Accounts Secure

There are still things you can do to make sure that you’re protecting yourself from tools like Modlishka. Based on this tool’s threat model, here are two things you can use to help you protect your accounts:

Use UFA  Instead of 2FA

As I noted above, Modlishka spoofs 2FA.

More specifically, it spoofs the 2FA codes that a user has to input. Whether you get the code by SMS (highly unreliable) or via a code generator, the fact that you need to type it back in is what makes 2FA vulnerable.

If you are a high profile internet user or someone who has a lot to lose by not securing their accounts, I suggest going for the ultimate 2FA: 2FA tokens.

2FA tokens are a lot more reliable than code generators because they are hardware-based. You don’t need to type in anything, you just need to plug the token in. They work on something called a U2F protocol (Universal 2nd Factor authentication), which offers the user one universal key to verify all of their accounts.

So far, there are only 2 companies making these U2F tokens: Google and Yubico.

You do need to actually purchase these keys, though, and they’re not exactly cheap. That’s why I suggest that you go through with this step if you are at high-risk for being hacked. However, these are the most secure products you can get today. This kind of authentication also renders Modlishka mute, as there’s nothing that the hacker can spoof.

The tokens work on their own. All you have to do is use the USB or Bluetooth authentication (Google alone offers this feature) and you’re set.

Use a Password Manager

So, this Modlishka is a phishing-based tool. In other words, it’s whole aim is to trick a user into thinking they’re typing in their password and 2FA token/code onto a legitimate website. In other words, if you managed to figure out that the site you’re looking at is a fake you won’t fall for the scam.

For an attacker to use Modlishka, they need to register a custom domain name for the site you end up seeing. Realistically speaking, if you’re trying to log into Gmail but you’re directed to a site that uses a different domain name than Gmail, that’s probably a phishing website, right?

Right. The thing is, people don’t usually check domain names. Humans are creatures of habit. I don’t expect you all to suddenly start double checking every site you use to see if the domain name is accurate.

However, I’m kind of banking on the idea that you either use a password manager that saves your passwords for you, or you’ve agreed to “remember the password” in the default browser you use.

If you’re used to opening up Gmail and finding your password already typed in, you’ll be a little thrown off if that doesn’t happen, right? Well, Modlishka’s spoofed sites won’t have your saved passwords on them… which means you’ll be able to tell that something is wrong and stop yourself from handing the attacker any of the information they want.

If you’re concerned about saving a password on a browser, use a password manager instead. It basically does the same thing and speeds up the process of logging in. It’s simple, affordable, and helps you see when a site is phishing for your info.

Modlishka and the Threat to 2FA – Final Thoughts

Listen, internet security has always been about trying to catch out vulnerabilities before a hacker can. It’s a continuous process, but it’s not a “lost battle” at all. The best thing we can do is make sure we’re consistently up to date with any new phishing campaign. Being an informed user helps you limit the amount of human error, making you a hard target for phishing scams.
What do you think about this new tool? Do you think the expert that made it should have open-sourced it? Let me know in the comments below.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top