Though it’s an old technique, phishing is still a major problem for many organizations, including those with sophisticated security teams and security aware users. APT groups and other high-level attackers often use highly credible, well-crafted phishing emails and sites to target victims, with notable success.
Two-factor authentication has become one of the major hurdles for groups using phishing to target valuable services. Understanding the tactics attackers use to try and bypass 2FA is important for both users and enterprise security teams, and this need has led to the rise of a wave of feature-rich phishing frameworks and tools for penetration testers.
Phishing toolkits have been around for many years, but many of them are custom tools developed internally by security consultancies, pen testing shops, and large enterprises with mature security teams. Many attack groups have their own versions, as well, optimized for their target industries and organizations. For various reasons, most of these tools don’t usually become public. So in recent years, security researchers and individual penetration testers have begun developing and releasing their own tools and frameworks to simulate phishing campaigns and help target users and organizations get a handle on the techniques and tricks attackers use in real campaigns.
One of the new entrants in this field is Modlishka, a reverse proxy designed to be a point-and-click tool for running phishing campaigns against any target domain. The tool allows a penetration tester to proxy traffic between a target user and the back-end server the user thinks she is communicating with. Modlishka allows an operator to intercept traffic from a user to a given site and gather credentials.
“All of the user’s traffic is handled of course over an encrypted browser trusted communication channel, where all of the relevant traffic is intercepted (such as credentials, authenticated session tokens, etc.) and the user is kept under the phishing domain, until a ’termination’ URL is triggered (it can be specified through the options),” Piotr Duszyński, the developer of Modlishka, said in an email to Decipher.
“In that moment the victim can be redirected to an arbitrary website and his access is restricted from accessing the phishing URL again. It is useful, for example, after the credentials have been collected. This tool is very flexible, in how the campaign should be carried out.”
"Currently the only resilient 2FA to this attack is based on U2F protocol."
Because the user’s traffic is proxied through Modlishka, the operator has the ability to intercept one-time codes and push notifications used in some 2FA schemes.
“All traffic, including cross domain HTTP/HTTPS calls are being proxied, which allows [you] to bypass all standard 2FA (TOTP, HOTP, Push based 2FA,etc.). Currently the only resilient 2FA to this attack is based on U2F protocol,” Duszyński said.
The Universal 2nd Factor standard relies on hardware security keys as the second factor in authentication operations, requiring the user to tap a key plugged into her computer. Some services, including Twitter, Facebook, and Google, offer users the ability to use U2F keys rather than SMS or other software-based 2FA mechanisms.
There a number of other tools in somewhat the same vein as Modlishka, including Evilginx2, a framework designed to phish session cookies and user credentials, and Judas, a standalone phishing proxy. There also are full-fledged phishing frameworks such as Gophish that allow operators to create templates and launch campaigns to see how aware users are of phishing techniques. Security consultants and penetration testers can be expensive, so open-source tools such as Gophish, Evilginx, and Modlishka can help organizations assess their level of awareness without laying out huge amounts of money.
“I created Gophish because I believe you shouldn't need a large security budget to measure your organization's exposure to phishing. My goal is to provide a high-quality phishing simulation framework that's quick to set up, easy to use, and has features that ‘just work’- all for free,” said Jordan Wright, the creator of Gophish and an R&D engineer at Duo Security.