A new tool that allows you to bypass two-factor authentication

This authentication method might not be as secure as we thought

Piotr Duszynski, a researcher specialist on network security born in Poland, recently announced the launching of a tool called “Modlishka” (Mantis in Polish), which, according to the expert, is a penetration testing tool that allows users to deploy phishing campaigns automatically, for example. He even mentioned that this tool could compromise accounts of different online services with two-factor authentication (2FA) enabled.

Modlishka operates between the user and the email provider of the user’s choice, such as Gmail, Outlook or Yahoo, mentions Duszynski. The victim then connects to the Modlishka server, which generates requests to the websites to be spoofed, so the victim won’t be able to found differences between the real site and the spoofed one. The network security expert claims that Modlishka takes the content directly from the spoofed site, so a malicious user would not have to waste time creating new templates for each attack.

When the copy of the site is created, the victims interact with authentic content of the website; however, any interaction will be registered on the Modlishka server. 

Once the site has been supplanted, the victim will interact with authentic content from the legitimate website. The victim can buy online, however, any interaction the victim enters, will be logged on the Modlishka server; this could lead to some variant of identity fraud and other malicious activities.

Any user (regardless of their purposes) who wants to use this tool, just have to configure the domain in which they want to host their phishing campaign, as well as a valid TLS certificate. Users must also allow the impersonated website that the victim visits to operate with a ‘secure’ HTTPS connection; otherwise, the user will be alerted about the absence of an HTTPS connection, reducing the chances of the attack being successful.

Finally, users will be required to run a configuration file in the phishing domain that redirects the victim to the legitimate website at the end of the phishing operation. Modlishka is currently available on GitHub under an open source license.

According to the expert in network security, using this tool is as easy as “target and click”, in addition, in the case of open source software multiple malicious users may begin to test this tool in various phishing.