Advanced phishing tool with automation can now bypass Two-factor Authentication

• Modlishka is a new phishing tool that breaks into login pages which are even protected with features such as 2FA.
• Modlishka’s creator Piotr Duszynski says that the tool works on the concept of ‘reverse proxy’.

A new tool has has been released that targets 2FA or Two-factor Authentication. Known as Modlishka -- translating to ‘mantis’ in English, this tool not only automates phishing but also knocks down 2FA. Piotr Duszynski, the researcher behind this tool says that it can bypass most of the current 2FA authentication schemes.

Duszynski came up with Modlishka to help red-team penetration testers reinforce their own phishing attacks. The striking feature of this tool is its reverse proxy functionality which can totally overcome most 2FA. A brief video demo is presented here. In essence, Modlishka places itself as a server between a user and website (Gmail, for example). So, the server captures every action (including passwords and 2FA tokens) by the user without his knowledge, and is readily available at the attackers’ disposal.

The possibility of automated phishing in a click

Modlishka’s ease of use makes it an ideal tool for automated phishing. In addition, attackers need not work with different phishing templates that are time-consuming. All Modlishka requires is a domain name and a TLS Certificate to operate flawlessly on the host environment. “At the time when I started this project (which was in early 2018), my main goal was to write an easy-to-use tool, that would eliminate the need of preparing static web page templates for every phishing campaign that I was carrying out.” said Duszynski to ZDNet.

While automated phishing has not been tested extensively with Modlishka, only time will tell of its effectiveness. Interestingly, this tool fails on a U2F protocol which is hardware-dependent. Future releases might even see improvements over U2F and make it more capable than it is currently.