A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA).
"The tool that I wrote is sort of a game changer, since it can be used as a 'point and click' proxy, that allows easy phishing campaign automation with full support of the 2FA (an exception to this is a U2F protocol based tokens - which is currently the only resilient second factor).
Now, many fear that Modlishka would reduce the entry barrier to allow so-called "script kiddies" to set up phishing sites within minutes, even with far fewer technical skills required. Furthermore, this tool would allow cyber-crime groups to easily automate the creation of phishing pages that are easier to maintain and harder to detect by victims.
Piotr Duszyński last week released the open-source tool, named Modlishka which means Mantis in Polish, on Github he said as a way to raise awareness and to enable pen testers to launch effective phishing campaigns as part of red team engagements and in no way endorses the malicious use of his tool. However, the fact that Modlishka makes phishing attacks more effective also makes it a perfect weapon for a cybercriminal.
Two-factor authentication has become one of the major hurdles for groups using phishing to target valuable services. Understanding the tactics attackers use to try and bypass 2FA is important for both users and enterprise security teams, and this need has led to the rise of a wave of feature-rich phishing frameworks and tools for penetration testers.
One of the new entrants in this field is Modlishka, a reverse proxy designed to be a point-and-click tool for running phishing campaigns against any target domain. The tool allows a penetration tester to proxy traffic between a target user and the back-end server the user thinks she is communicating with. Modlishka allows an operator to intercept traffic from a user to a given site and gather credentials.
There a number of other tools in somewhat the same vein as Modlishka, including Evilginx2, a framework designed to phish session cookies and user credentials, and Judas, a standalone phishing proxy. There also are full-fledged phishing frameworks such as Gophish that allow operators to create templates and launch campaigns to see how aware users are of phishing techniques. Security consultants and penetration testers can be expensive, so open-source tools such as Gophish, Evilginx, and Modlishka can help organizations assess their level of awareness without laying out huge amounts of money.
As you can see, Modlishka comes with some pretty flashy features. It allows you to create your own SSL certification using openssl which will allow your phishing campaign to look more trustworthy and legitimate. You will likely want to register a domain name to further the false legitimacy.It also allows you to bypass some security measures such as anti-SSRF.Run the command below against a target site to see the proxy in action. The phishingDomain option can be changed to fit you needs. I am using the loopback.modlishka.io which requires you to change the index.html file inside the apache folder (/var/www/).
Advanced phishing attacks are becoming increasingly commonplace with tools that allow attackers to harvest credentials, bypass Two-factor authentication (2FA), as well as run automated post-exploit scripts the instant you enter your credentials. This post takes a look at our journey towards releasing Phinn, the real-time phishing simulation proxy that sits at the core of the PhishDeck phishing simulation platform.
In recent years we have seen a dramatic surge and shift in the phishing landscape that we have not seen in a very long time. We now have open-source tools that make it far more accessible than ever before for attackers to set up phishing websites that are virtually indistinguishable from their original counterparts both visually and, more importantly, in their behaviour.
Today, we are going to examine Evilginx 2, a reverse proxy toolkit. We will also find out how to use it to bypass two-factor authentication and steal Instagram login credentials. Finally, we will build and launch a combat server, tweak it, and go phishing!
The second milestone was the release of the open-source Modlishka project. At that time, the main difficulty faced by the users of Evilginx 2 was traffic proxying. The hacker had to create numerous filters dynamically substituting legitimate links with phishing ones. This was done through trial and error, making the code extremely sophisticated.
My previous article was dedicated to Modlishka, which is yet another tool designed to bypass two-factor authentication. At that time, the program had no automated solution for HTTPS, and suffered from certificate generation problems. The hacker had to tighten this screw manually. In addition, only one phishing site could be launched on a Modlishka server; so, the scope of attacks was limited.
Since the inclusion of the first password in the Compatible Time-Sharing System at MIT in 1961, people have been cognizant of information security. While multi-factor authentication (MFA) did not enter the scene until years later in 1986 with the first RSA tokens, it has recently seen widespread adoption in the consumer space. According to MFA digital authenticator company Duo's annual State of the Auth Report 78% of respondents have used two/multi-factor authentication (2FA/MFA) in 2021 compared to just 28% in 2017. While many companies like Duo and RSA have helped make MFA more ubiquitous and user-friendly, threat actors have not been resting on their laurels, choosing to target MFA as well as looking for ways to bypass MFA with evolving phishing kits.
Phishing kits are software developed to aid threat actors in harvesting credentials and quickly capitalizing on them. Often installed on a dedicated server owned by the threat actor or covertly installed on a compromised server owned by an unlucky individual, many of these kits can be purchased for less than a cup of coffee. Proofpoint threat researchers see numerous MFA phishing kits ranging from simple open-source kits with human readable code and no-frills functionality to sophisticated kits utilizing numerous layers of obfuscation and built-in modules that allow for stealing usernames, passwords, MFA tokens, social security numbers and credit card numbers. At their core these kits are using the same techniques for harvesting credentials as the traditional kits that steal only usernames and passwords.
Muraena/Necrobrowser: Muraena/Necrobrowser is a two-part tool for phishing session cookies, credentials, and much more. Created in 2019 by Giuseppe Trotta and Michele Orrù, Muraena runs server-side and uses a crawler to scan the target site to ensure it can properly rewrite all the traffic needed to not alert the victim. Once the victim's credentials and session cookie has been harvested by the threat actor, they can deploy Necrobrowser. Necrobrowser is a headless browser, which is a browser without a graphical user interface used for automation, that leverages the stolen session cookies to log into the target site and do things such as change passwords, disable Google Workspace notifications, dump emails, change SSH session keys in GitHub, and download all code repositories. 2b1af7f3a8