New Tool Automates Phishing Attacks That Bypass 2FA (zdnet.com) 121
A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA). From a report: Named Modlishka --the English pronunciation of the Polish word for mantis -- this new tool was created by Polish researcher Piotr Duszynski. Modlishka is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations. It sits between a user and a target website -- like Gmail, Yahoo, or ProtonMail. Phishing victims connect to the Modlishka server (hosting a phishing domain), and the reverse proxy component behind it makes requests to the site it wants to impersonate. The victim receives authentic content from the legitimate site --let's say for example Google -- but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.
so... (Score:2)
you need to control DNS at the point of end user connection like with ... HOSTFILES :)
Re: (Score:2)
That would be true if the computer been infected with malware. However, most people don't pay close attention to details like URLs before continuing so that would be hope by the attackers.
you need to control DNS at the point of end user connection like with ... HOSTFILES :)
Re: (Score:2)
Yes if only there was some method to provide cryptographicly verifiable DNS responses...hmm
Re: (Score:2)
but... its so complicated :)
Re: (Score:2)
OMG
You just had to say it . . . . .
I think if you say it three times, we'll get a wall of text about how modifying your host files will:
1) Spice up your sex life
2) Cure Cancer
3) Solve P vs NP
4) Balance the National Debt
Re: (Score:2)
you need to control DNS at the point of end user connection
Why would you?
The user end point is already configured to query the root servers, which is all that's needed.
Any domain I register will be added to its particular top level that the roots already point at, and the circle of life is complete.
No, all you need is an end user stupid enough to think gmail.myowndomain.tld is actually gmail when they click it, and those are in no short supply.
Highlights the importance of HTTPS and HSTS header (Score:3)
Preloaded HSTS would require the attacker to install a root certificate on the victims computer or compromise an already existing one.
If you have that amount of control you can do far more than bypass 2FA.
Re: Highlights the importance of HTTPS and HSTS he (Score:1)
I think the more amusing question would be is that really true that you would need to do at least one of those things to succeed in attacking. I would say it depends on the messaging throughout of legitimate traffic and attacker traffic. Any system is hacksble if you give it enough time but maybe there isnt so much time in most lab testing scenarios for a variety of reasons
Re: (Score:2)
** In this case, it is certificate based authentication, a different technology from encryption, that help to definitively established the identity of the server as part of TLS handhsake that saves your bacon, but the entire process colloquially known as encryption.
Re:Highlights the importance of HTTPS and HSTS hea (Score:4, Insightful)
The problem HSTS does not solve though is if I can get you to click my link to http://g0ogle.com/ [g0ogle.com] (ok that one is taken but you get the idea) or https://g0ogle.com/ [g0ogle.com].
HSTS won't let me MTIM your request to http://google.copm/ [google.copm] and inject my own content (because it plain text) or redirect you somewhere else because your browser will ignore that you asked for HTTP and do HTTPS and my cert won't pass muster. It will do nothing if I con you with a look-a-like domain. Which thanks those morons at LetsEncrypt I can easily obtain a certificate for gaining my a nice TLS connection that will appear secure in your browser and let me evade a lot of IPS systems and other protections on the network to sever up whatever malicious garbage I want.
Re: (Score:2)
A good password manager won't fill your google.com user ID and password into a g00gle.com web page. (I know LastPass won't; I'd assume others would balk at this, too.)
Re: (Score:2)
You're better off using the password manager in Chrome in my opinion; it even generates strong passwords now. LastPass has had several important security issues in the past few years.
Really? (google, google) Nope. Nothing I hadn't seen before, nothing really major, and all addressed very quickly when discovered. If I had a trivial master password, it might be an issue, but I don't.
Re: (Score:1)
Wrong. LetsEncrypt removed any (although it was already limited) trust you could have in a third party CA. Before LE most CAs made a t least a little effort to not provide or to revoke certs for obvious phishing domains when the complaints rolled in.
Nothing LE does is needed for an encrypted web. We could all be using self signed certs + pinning and it would provide EXACTLY as much assurance as LE certs provide. The problem was the browser vendors could not do anything smarter with their stupid "scare s
Re: (Score:1)
I think you got it all wrong with Let's Encrypt. Google could shut down the project overnight by revoking their root certificate. Microsoft, Firefox and Apple would soon follow. Yet, they haven't done so. I know the GP said mostly the same thing, but it is worth repeating: CAs are not trustworthy. If they make it difficult or inconvenient to get a certificate, their clients will simply flock to another CA which is more accommodating. Symantec once was one of the biggest CAs, and it took years of abuse befor
Re: (Score:2)
The CA's were never dependable the for profit CAs never made the problem this bad:
https://it.slashdot.org/story/... [slashdot.org]
Basically LE took what was already a problematic and dubious trust system and cranked the problems up to 11. Analogy: Buying stuff from some guy on the street vs buying stuff from someone who is legally incorporated. Of course anyone can incorporate it does take much effort or prove much - but it takes some effort and means you at least have an address on file. Its a weak check but its 'some
Re: (Score:2)
Browser will stop you from clicking a submit-button on a form, but nothing stops an attacker from using XMLHttpRequests (ajax call back in the day) to pass credentials. Button could then be wired up to just to a regular HTTP GET.
Re: (Score:1)
Modlishka is what IT professionals call a reverse proxy
A classic man in the middle attack. If you control the network between the client and server; being able to snoop on 2FA is the least of your worries. Using SSL might help, but if your DNS is compromised as well then your out of luck.
As a developer I use a reverse proxy whenever I need to view data being exchanged between different tiers of an application. Using SSL makes it harder, but there are ways of generating fake certs and using dns to mask where they really came from.
Again, if someone is able
Re: (Score:2)
That really depends. If you can compromise the browser or browser cache but nothing else, there is still value where you can modify DNS and/or root CA but still not record keystrokes and clicks (since some browsers *cough* Chrome *cough* now resolve independently from the OS/network).
Useful tool, but you still have to get past PKI... (Score:2)
For example, when connecting to
Re: (Score:3, Informative)
Except that I am not going to hijack slashdot.org I am going to attempt to con you into going to slashdit.org instead. Which I will proxy to slashdot.org's login page so you don't think anything is wrong. You will most likely go ahead and authenticate (and I'll sniff the cookies along the way). I know you want give the URL a second look either because thanks to Google nobody displays address bars anymore. So if you click my initial link I totally own you.
Oh and mysite will have TLS and valid certificate
Re: (Score:2)
not mind seeing malicious hacking become a death sentence. Ditto rape, child molestation, selling drugs to minors, and many others.
Sorry, but hacking is not as "ditto" simple as the other crimes you list here. Rape, child molestation, and selling drugs all usually require concrete physical evidence. I'm not going to face a fucking firing squad because some script kiddie was smart enough to spoof MY IP address when committing an electronic crime. And I'm not about to rely on some dinosaur judge rapping the gavel of fate to understand what IP spoofing is, and why I'm innocent. Fuck that legal nightmare.
Re: (Score:2)
>The West has grown very soft when it comes to crime
Have you SEEN our incarceration statistics? I mean, "for-profit prison industry" is pretty self-explanatory.
The only thing self explanatory about a for-profit prison system is the profit part. Prioritizing criminals to be incarcerated for life instead of championing the death sentence when justified IS a sign of going soft on crime. We may be known as the Incarcerated States of America, but that sure as hell doesn't equate to a country with exceedingly low crime rates. That for-profit criminal system we have isn't deterring jack shit. Hell, it's viewed by many as a place where you can get three square meals a
I have the fix! (Score:5, Funny)
3 factor authentication!
It's the 7-minutes abs of IT!
Re: (Score:2)
I'm holding out for 99-factor authentication.
Re: (Score:2)
That's a pie in the sky idea. Never going to happen. I'm just holding out for one that goes up to 11. That's at least possible, I think.
Re: (Score:2)
That only works for CONTROL.
Re: (Score:2)
That only works for CONTROL.
Missed it by THAT much!
Re: (Score:2)
1. Something you know: username, password, pin number, etc.
2. Something you have: token generator, cell phone, computer, etc.
3. Something you are: your fingerprint, eye scan, hand geometry, voice print, etc.
I often hear people say that using CAPTCHA's or having to answer 3 to questions are two factors, but those still fall under the first category, something you know. I also hear people say to use a fingerprint or something, can't fake that. The problem
Re: (Score:2)
Yup, everything done online or passed through a single wire is essentially 1 factor. Something you know.
Oh, you used a fingerprint scanner or smartcard reader? It just passed a signal to the verifying device/service. The verifying device/service didn't check to see you had a smartcard or that you used a valid fingerprint. It trusted the signal it got and believed the device that sent it.
Something you have and something you are require physical, interactive inspection. In a real security scenario, this
Fuck Everything, We're Doing 5 Factors (Score:2)
Fuck it. We're going to five factors.
Sure, we could go to 3 factors next, like the competition. That seems like the logical thing to do. After all, two worked out pretty well, and three is the next number after two. So let's play it safe. Why innovate when we can follow? Oh, I know why: Because we're a business, that's why!
When there isn't a middle to abuse (Score:2)
Create one!
This seems like it should be easy to defeat. Acting as a portal ought to come with some sort of detectable signature. A few extra ms, routing abnormalities?
Re: (Score:2)
The attacker presents a login dialog to the user, and forwards that info to a genuine session.
The attacker presents a 2 factor dialog to the user, and forwards that info to a genuine session.
The attacker wins.
For bonus points, the attacker presents a second 2 factor dialog to the user, the user complies thinking they typed the code in wrong or the code timed out. The attacker uses that 2nd code to disable the 2 factor requirement on the account.
The attacker only needs to get a bit of malware on your box to
"an ease never seen before" (Score:2)
"an ease never seen before" >>> https://en.wikipedia.org/wiki/... [wikipedia.org]
Looks like a man in the middle attack (Score:2)
Re: (Score:3)
Didn't read the summary, eh?
All of the MITM work has been done. You just snag the github code, deploy it on a server, tell it a URL to impersonate, and then get people to go to that serer. It's script-kid ready. You don't need to know how to code to deploy this. You don't even really need to know much about how the internet works.
Of course, the more you understand, the more effective this could be. There are enough dumbasses out there that if they click to a page that's identical to the one they are looking
Re: (Score:2)
'Security Researcher' (Score:2)
So a false domain reverse proxy? (Score:2)
Which any decent website will block due to weird traffic from set of ips or by behaviour blocking?
Am I missing something ?
3 factor security (Score:2)
A CC sized device with a LCD display using a time limited code sent by post?
Re: (Score:2)
A keyboard overlay that alters the location of the letters?
Maybe a special lens that re-assembles the text on the screen so it's readable?
I miss the old days ;-)
New reverse proxy penetration testing tool? (Score:2)
Didn't a reverse proxy turn up in eps1.3__da3m0ns.mp4 [codibyte.com] of Mr Robot [imdb.com]?
KoiPhish (Score:1)