Using a new penetration testing tool to automate phishing attacks, hackers can potentially bypass two-factor authentication (2FA), according to a new post published by security researcher Piotr Duszynski. The tool was written to intentionally make phishing campaigns as easy and effective as possible, said Duszynski.
Dubbed Modlishka, a Polish word that means "mantis," the tool can reportedly bypass login operations for accounts protected by 2FA and enable an attacker to have full control of "cross" origin TLS traffic flow from the victims browsers, Duszynski wrote.
Phishing with Modlishka (bypass 2FA) from Piotr Duszynski on Vimeo.
A GitHub user inquired whether the 2FA is broken, to which Duszynski explained, “2FA isn't broken. At the end it is all about 'social engineering' that you will have to be stay alert about. Which can be e-mail, phone, post or face2face based.
“If you don't want to always verify if the domain name in the URL address bar of your browser isn't somehow malicious or worry if there's yet another URL spoofing bug, then consider switching to U2F [universal second factor] protocol."
"While cyber-criminals can get past 2FA, this should only be one piece in the authentication stack and not the only one,” said Don Duncan, security engineer for NuData Security, a Mastercard company.
“This is why companies are using multilayered authentication tools that can verify the legitimacy of a transaction from different angles," Duncan continued. "This way, if one of the layers is fooled by a bad actor, the other layers or tools can flag that activity. It is this in-depth defense that allows companies to provide an exceptional experience for customers while cutting out cyber-criminals.”
Still, Duszynski said that in his experience as a penetration tester, he has had the greatest success infiltrating customer networks by using social engineering. “One definitely does not need to burn a 0day exploit/s for all of those sophisticated top-notch security defenses that are protecting the perimeter, when often just few e-mails or phone calls will do just perfectly fine to compromise internal infrastructure and company's sensitive data.”