Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

New Tool Automates Phishing Attacks That Bypass 2FA (zdnet.com) 121

A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA). From a report: Named Modlishka --the English pronunciation of the Polish word for mantis -- this new tool was created by Polish researcher Piotr Duszynski. Modlishka is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations. It sits between a user and a target website -- like Gmail, Yahoo, or ProtonMail. Phishing victims connect to the Modlishka server (hosting a phishing domain), and the reverse proxy component behind it makes requests to the site it wants to impersonate. The victim receives authentic content from the legitimate site --let's say for example Google -- but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.
This discussion has been archived. No new comments can be posted.

New Tool Automates Phishing Attacks That Bypass 2FA

Comments Filter:
  • you need to control DNS at the point of end user connection like with ... HOSTFILES :)

    • by Darkk ( 1296127 )

      That would be true if the computer been infected with malware. However, most people don't pay close attention to details like URLs before continuing so that would be hope by the attackers.

      you need to control DNS at the point of end user connection like with ... HOSTFILES :)

    • by DarkOx ( 621550 )

      Yes if only there was some method to provide cryptographicly verifiable DNS responses...hmm

    • OMG

      You just had to say it . . . . .

      I think if you say it three times, we'll get a wall of text about how modifying your host files will:

      1) Spice up your sex life
      2) Cure Cancer
      3) Solve P vs NP
      4) Balance the National Debt

    • by dissy ( 172727 )

      you need to control DNS at the point of end user connection

      Why would you?
      The user end point is already configured to query the root servers, which is all that's needed.
      Any domain I register will be added to its particular top level that the roots already point at, and the circle of life is complete.

      No, all you need is an end user stupid enough to think gmail.myowndomain.tld is actually gmail when they click it, and those are in no short supply.

  • by fuzzyf ( 1129635 ) on Wednesday January 09, 2019 @02:08PM (#57932460)
    This just highlights the importance of HTTPS and Strict Transport Security Header.
    Preloaded HSTS would require the attacker to install a root certificate on the victims computer or compromise an already existing one.

    If you have that amount of control you can do far more than bypass 2FA.
    • I think the more amusing question would be is that really true that you would need to do at least one of those things to succeed in attacking. I would say it depends on the messaging throughout of legitimate traffic and attacker traffic. Any system is hacksble if you give it enough time but maybe there isnt so much time in most lab testing scenarios for a variety of reasons

    • by sinij ( 911942 )
      You don't need HSTS if you pay attention or browser warns you about submitting credentials over unencrypted** connection.

      ** In this case, it is certificate based authentication, a different technology from encryption, that help to definitively established the identity of the server as part of TLS handhsake that saves your bacon, but the entire process colloquially known as encryption.
      • by DarkOx ( 621550 ) on Wednesday January 09, 2019 @02:49PM (#57932816) Journal

        The problem HSTS does not solve though is if I can get you to click my link to http://g0ogle.com/ [g0ogle.com] (ok that one is taken but you get the idea) or https://g0ogle.com/ [g0ogle.com].

        HSTS won't let me MTIM your request to http://google.copm/ [google.copm] and inject my own content (because it plain text) or redirect you somewhere else because your browser will ignore that you asked for HTTP and do HTTPS and my cert won't pass muster. It will do nothing if I con you with a look-a-like domain. Which thanks those morons at LetsEncrypt I can easily obtain a certificate for gaining my a nice TLS connection that will appear secure in your browser and let me evade a lot of IPS systems and other protections on the network to sever up whatever malicious garbage I want.

        • A good password manager won't fill your google.com user ID and password into a g00gle.com web page. (I know LastPass won't; I'd assume others would balk at this, too.)

      • by fuzzyf ( 1129635 )
        That is not entirely accurate.
        Browser will stop you from clicking a submit-button on a form, but nothing stops an attacker from using XMLHttpRequests (ajax call back in the day) to pass credentials. Button could then be wired up to just to a regular HTTP GET.
    • by bob4u2c ( 73467 )

      Modlishka is what IT professionals call a reverse proxy

      A classic man in the middle attack. If you control the network between the client and server; being able to snoop on 2FA is the least of your worries. Using SSL might help, but if your DNS is compromised as well then your out of luck.
      As a developer I use a reverse proxy whenever I need to view data being exchanged between different tiers of an application. Using SSL makes it harder, but there are ways of generating fake certs and using dns to mask where they really came from.

      Again, if someone is able

    • by guruevi ( 827432 )

      That really depends. If you can compromise the browser or browser cache but nothing else, there is still value where you can modify DNS and/or root CA but still not record keystrokes and clicks (since some browsers *cough* Chrome *cough* now resolve independently from the OS/network).

  • Useful tool for recording unencrypted traffic, but for anything that matters these days you have to find a way to present matching and trusted certificate.

    For example, when connecting to /. my browser will check DNS record (i.e. slashdot.org) to an identifier in X.509 certificate (i.e. SAN contains slashdot.org). While DNS lookup could be hijacked, there is no way to hijack certificate without getting hold of a private key. If you simply proxy it, then you would only see encrypted traffic. If you substitut
    • Re: (Score:3, Informative)

      by DarkOx ( 621550 )

      Except that I am not going to hijack slashdot.org I am going to attempt to con you into going to slashdit.org instead. Which I will proxy to slashdot.org's login page so you don't think anything is wrong. You will most likely go ahead and authenticate (and I'll sniff the cookies along the way). I know you want give the URL a second look either because thanks to Google nobody displays address bars anymore. So if you click my initial link I totally own you.

      Oh and mysite will have TLS and valid certificate

  • by mark_reh ( 2015546 ) on Wednesday January 09, 2019 @02:21PM (#57932576) Journal

    3 factor authentication!

    It's the 7-minutes abs of IT!

    • I'm holding out for 99-factor authentication.

    • by bob4u2c ( 73467 )
      3 Factors relate to the following categories:

      1. Something you know: username, password, pin number, etc.

      2. Something you have: token generator, cell phone, computer, etc.

      3. Something you are: your fingerprint, eye scan, hand geometry, voice print, etc.

      I often hear people say that using CAPTCHA's or having to answer 3 to questions are two factors, but those still fall under the first category, something you know. I also hear people say to use a fingerprint or something, can't fake that. The problem
      • Yup, everything done online or passed through a single wire is essentially 1 factor. Something you know.

        Oh, you used a fingerprint scanner or smartcard reader? It just passed a signal to the verifying device/service. The verifying device/service didn't check to see you had a smartcard or that you used a valid fingerprint. It trusted the signal it got and believed the device that sent it.

        Something you have and something you are require physical, interactive inspection. In a real security scenario, this

    • Fuck it. We're going to five factors.

      Sure, we could go to 3 factors next, like the competition. That seems like the logical thing to do. After all, two worked out pretty well, and three is the next number after two. So let's play it safe. Why innovate when we can follow? Oh, I know why: Because we're a business, that's why!

  • Create one!

    This seems like it should be easy to defeat. Acting as a portal ought to come with some sort of detectable signature. A few extra ms, routing abnormalities?

  • "an ease never seen before" >>> https://en.wikipedia.org/wiki/... [wikipedia.org]

  • Not sure why it needs a new name or what is really new.
    • Didn't read the summary, eh?

      All of the MITM work has been done. You just snag the github code, deploy it on a server, tell it a URL to impersonate, and then get people to go to that serer. It's script-kid ready. You don't need to know how to code to deploy this. You don't even really need to know much about how the internet works.

      Of course, the more you understand, the more effective this could be. There are enough dumbasses out there that if they click to a page that's identical to the one they are looking

  • There is that term again. He released a tool publicly to actively break security via MITM phishing. This is not how anyone serious about security would act. Call him a script-kiddie enabler.
  • Which any decent website will block due to weird traffic from set of ips or by behaviour blocking?

    Am I missing something ?

  • A letter by post with more code on it?
    A CC sized device with a LCD display using a time limited code sent by post?
    • A keyboard overlay that alters the location of the letters?
      Maybe a special lens that re-assembles the text on the screen so it's readable?

      I miss the old days ;-)

  • Named Modlishka .. this new tool .. is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations

    Didn't a reverse proxy turn up in eps1.3__da3m0ns.mp4 [codibyte.com] of Mr Robot [imdb.com]?
  • Neat idea, i have seen tools like that a few times a few years back. One other tool has a cute and fitting name for this relay proxy idea. Its called KoiPhish lol : https://github.com/wunderwuzzi... [github.com]

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...