Can Overcome Multi-factor Authentication and Enable Phishing
As a basic element of cyber security programs, penetration testing is standard protocol for detecting possible IT network vulnerabilities. There are many penetration testing tools available that simulate hacker attacks to discover cracks in firewalls and other defenses. Developers are constantly building new tools to keep up with evolving threats and the measures put in place to avert them.
The Best Intentions…
A recently-launched open source pen test, called the Modlishka tool was developed to allow robust testing in a multi-factor authentication environment. MFA processes are being adopted by a rapidly increasing number of organizations. In order to be as effective as possible, the tool must be able to bypass two-factor authentication (2FA). Unfortunately, since the start of 2019, it is available to anyone via GitHub, including hackers who can use the tool to bypass 2FA and launch phishing schemes that are more difficult to detect and thwart than ‘traditional’ phishing attacks.
According to its developer, Polish cyber security researcher Piotr Duszyński, he intended Modlishka (translation from Polish: Mantis) to enable cyber security professionals to launch phishing emails to measure employee awareness of and susceptibility to phishing schemes in 2FA environments.
He’s also explained that Modlishka doesn’t specifically prove that 2FA is damaged, but rather that it can be outwitted with the right tool, sharp social engineering skills and the general lack of awareness of how to recognize such attacks.
Its open architecture and its GitHub availability makes it widely adaptable and the unintended consequence is that, at the moment, there is little-to-no-defense against its use by bad actors for nefarious purposes.
How Does Modlishka Work?
According to Security News:
“Modlishka is a reverse proxy that sits on a server that hosts a phishing domain that resides between a victim’s cloud-based email account and the victim’s device. The attacker spoofs the target domain, such as a VPN or webmail portal which then sits on the server, and then as the victim sends information through to the fake domain the tool is able to track and log the content. However, it does not set up a fake version of the site, but in fact allows the real site to send information to the victim which is intercepted by Modlishka.”
It's also known that the reverse proxy sends 2FA tokens that can provide access to the target website’s IT infrastructure.
At an early point in the attack -- before tokens can be acted upon -- security teams can diminish the impact by identifying suspect registrations. But because Modlishka delivers real website content, it removes the hacker’s need to create spoof sites or templates of landing pages to steal information. This actually makes it easier for the hacker to set up an attack – and more difficult for security folks to be alerted.
We recommend hyper-vigilance on the part of security pros to spot attacks from skirted 2FA set-ups. And since hackers depend on a lack of awareness of phishing tactics, once again, we submit that employee training is the best antidote to ignorance of the problem and vulnerable users. At minimum, they must learn to check the domain of every link or download for authenticity before clicking.
But, according to Piotr Duszyński, the only surefire way to protect against a bypass of multi-factor authentication is to adopt Universal Two-factor Authentication, the topic of our last blog post, which uses biometrics and other non-password-dependent authentication methods.
If you’d like to speak with Soundshore Technology Group’s cyber security experts to learn more about how to protect your registered organization from cyber threats, send an email to email@example.com. While you’re here, please take a look at our full array of cyber security services.