ReelPhish – A tool for Social Engineering and Two-Factor Authentication

Share this…

Social engineering campaigns are a threat to everyone; according to cyber securityexperts from the International Institute of Cyber Security, an attack can capture the username and password of a victim and store it for an attacker to use again later.

Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is seen as a solution to the threats. Both of these implementations protect users from phishing campaigns that only capture username and password.

2FA adds an authentication layer over the username and password. Two implementations of 2FA are one-time passwords and push notifications. One-time passwords are generated by a secondary device, such as a token, and linked to a user. These passwords expire in seconds and cannot be reused. Push notifications send a message to a user’s mobile device and ask the user to confirm their attempt to log on.

While 2FA has been recommended by information security professionals for both personal and commercial applications, it is not an infallible solution. 2FA implementations have been successfully defeated using real-time phishing techniques.


There have been reports of real-time phishing in the wild as early as 2010. However, these types of attacks have been ignored due to the perceived difficulty of launching such attacks. Cyber security researchers developed a tool – named ReelPhish – simplifies the real-time phishing technique.

The main component of the phishing tool is designed to run on the attacker’s system. It is a Python script that listens to data from the attacker’s identity phishing site and drives a locally installed web browser using the Selenium framework. The tool can control the web browser of the attacker navigating to specific web pages, interacting with HTML objects and scraping content.

Then the code embedded in the phishing site sends data, such as the captured username and password, to the phishing tool that runs on the attacker’s machine. Once it receives information, it uses Selenium to start a browser and authenticate itself on the legitimate website. All communication between the phishing web server and the attacker’s system is done through an encrypted SSH tunnel.

Victims are tracked by session tokens, which are included in all communications between the phishing site and ReelPhish. This token allows the phishing tool to maintain states for authentication workflows that involve multiple pages with unique challenges. Because the identity spoofing tool is aware of the state, it can send victim information to the legitimate web authentication portal and vice versa.

Cyber security experts recommend configuring all services protected by 2FA to minimize the impact of the attacker if the attacker bypasses the 2FA protections. Do not give up 2FA; it is not a perfect solution, but it adds a layer of security. 2FA is a security mechanism that can fail like any other, and organizations must be prepared to mitigate the impact.

Installation and use

The latest release of Python 2.7.x is required.

Install Selenium, required to run the browser drivers.

pip install -r requirements.txt

Information security experts said that you must download browser drivers for all web browsers you plan to use. Binaries should be placed in this root directory with the following naming scheme.

Internet Explorer:

Download the Internet Explorer Driver Server for 32 bit Windows IE. Unzip the file and rename the binary to: IEDriver.exe.

In order for the Internet Explorer Driver to work, be sure protected mode is disabled. On IE11 (64 bit Windows), you must create registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BFCACHE”. In this key, create a DWORD value named iexplore.exe and set the value to 0.

Further information on Internet Explorer requirements can be found on


Download the latest release of the Firefox GeckoDriver for Windows 32 bit. Unzip the file and rename the binary to: FFDriver.exe.

On Linux systems, download the Linux version of Firefox GeckoDriver and rename the binary to: FFDriver.bin. Linux support is experimental.

Gecko Driver has special requirements. Copy FFDriver.exe to geckodriver.exe and place it into your PATH variable. Additionally, add firefox.exe to your PATH variable.


Download the latest release of the Google Chrome Driver for Windows 32 bit. Unzip the file and rename the binary to: ChromeDriver.exe.

On Linux systems, download the Linux version of the Chrome Web Driver and rename the binary to: ChromeDriver.bin. Linux support is experimental, according to cyber security researchers.

ReelPhish consists of two components: the phishing site handling code and this script. The phishing site can be designed as desired. Sample PHP code is provided in /examplesitecode. The sample code will take a username and password from a HTTP POST request and transmit it to the phishing script.

The phishing script listens on a local port and awaits a packet of credentials. Once credentials are received, the phishing script will open a new web browser instance and navigate to the desired URL (the actual site where you will be entering a user’s credentials). Credentials will be submitted by the web browser.

Information security specialists said that the recommended way of handling communication between the phishing site and this script is by using a reverse SSH tunnel. This is why the example PHP phishing site code submits credentials to localhost: 2135.

Now, you must specify the browser you will be using with the –browser parameter. Supported browsers include Internet Explorer (“–browser IE”), Firefox (“–browser FF”), and Chrome (“–browser Chrome”). Windows and Linux are both supported. Chrome requires the least amount of setup steps.

You must specify the URL. The script will navigate to this URL and submit credentials on your behalf. Other optional parameters are available.

Set the logging parameter to debug (–logging debug) for verbose event logging

Set the submit parameter (–submit) to customize the element that is “clicked” by the browser

Set the override parameter (–override) to ignore missing form elements

Set the numpages parameter (–numpages)

ReelPhish supports multiple authentication pages. In some cases a two factor authentication code may be requested on a second page. To implement this feature, be sure that –numpages is set to the number of authentication pages. Also be sure that the session ID is properly tracked on your phishing site. The session ID is used to track users as they proceed through each step of authentication.