The tool can bypass traditional 2FA, but does not work against the newer U2F standard. What just happened? A security researcher in Poland has released a tool that automates phishing attacks and can easily bypass two-factor authentication (2FA).
Piotr Duszynsky released the tool a few days ago and it has put the security community on high alert. The tool is available on GitHub and is extremely simple to use. It allows a hacker to break into your account, even if you have 2FA enabled.
Called Modlishka, the tool is a reverse proxy which means it sits between the user being targeted and the legitimate website. Traditional phishing tools were complicated and required extensive coding and web programming skills, but this simple tool appears to be different. It is essentially point-and-click and gives the proverbial "script kiddie" everything they need to take over someones account with minimal effort.
Modlishka works by intercepting traffic from the user to the website being targeted. To carry out this attack, the attacker simply needs to obtain a cheap TLS certificate and redirect the user to his website. Since Modlishka is a reverse proxy, it passes through all of the web content and form entries from the real website to the user. This removes the need to create an exact template of the website you are targeting to ensure the user doesn’t suspect they are being phished.
When the user tries to log in, everything will look normal to them, except that their credentials will be sent to the Modlishka server first. Modlishka will then send the credentials to the real server and the user will be logged in to a session. Modlishka will continue forwarding all of the traffic as normal so this hacked session will behave just like a normal one. If the service the user is trying to access requires 2FA, those credentials will be sent to the attacker as well.
Once the attacker has the valid 2FA credentials that were stolen from the user, he can log in to the genuine website with a legitimate 2FA key. Here is a short demonstration of just how easy it is to carry out this attack.
Duszynski opted to post his source code publicly on GitHub to increase awareness. He believes that "without a working proof of concept that really proves the point, the risk is treated as theoretical and no real measures are taken to address it properly." He describes the tool as "a flexible and powerful reverse proxy, that will take your phishing campaigns to the next level (with minimal effort required from your side)."
This attack does not fully circumvent 2FA though, since still requires the user to input an actual valid 2FA key. The attacker also has to intercept it in real-time to ensure it doesn’t expire before he can use it to log in. This reverse proxy method is not able to bypass the more robust Universal Second Factor (U2F) though.
For now, the only real way to protect against this type of attack is to be vigilant about what links you click on and to ensure the website you think you are visiting matches the URL.