{"id":14383,"date":"2019-01-21T09:10:06","date_gmt":"2019-01-21T17:10:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/01\/21\/news-8135\/"},"modified":"2019-01-21T09:10:06","modified_gmt":"2019-01-21T17:10:06","slug":"news-8135","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/01\/21\/news-8135\/","title":{"rendered":"Has two-factor authentication been defeated? A spotlight on 2FA\u2019s latest challenge"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Mon, 21 Jan 2019 16:15:30 +0000<\/strong><\/p>\n

Multiple news reports about the defeat of two-factor authentication (2FA) have been making rounds lately.<\/p>\n

In November 2018, our friends at ESET discovered a purported Android battery utility tool<\/a> called \u201cOptimization Android\u201d from a third-party app store. This app was designed to steal money from a user\u2019s PayPal account without relying on stolen credentials. It operates by modifying a device\u2019s Accessibility settings and enabling the use of Android\u2019s overlay accessibility feature. This then allows a malicious accessibility service to mimic the user\u2019s clicks to access the legitimate app and wire money to the criminal\u2019s own PayPal address.<\/p>\n

Long story short: This method effectively bypasses 2FA<\/a>.<\/p>\n

Then in mid-December, researchers at the Computer Emergency Response Team in Farsi (CERTFA)<\/a> Lab released a report<\/a> about \u201cThe Return of Charming Kitten,\u201d a fresh slew of state-backed phishing attacks on individuals involved in sanctions against Iran and others, but focusing more on people based in the United States and Israel. State actors have found a way to fool targets into giving away their Gmail and Yahoo! 2-step verification codes.<\/p>\n

Days after CERTFA\u2019s report, Amnesty International broke the news<\/a> that broad, targeted phishing campaigns were set against thousands of human rights defenders (HRDs), journalists, and political actors in countries throughout the Middle East and Northern Africa (MENA). The threat actors behind at least one campaign had also actively and deliberately taken steps to bypass common forms of 2FA.<\/p>\n

A mantis lies in wait<\/h3>\n

The latest means to circumvent 2FA was made public by Polish security researcher Piotr Duszy\u0144ski not long after the New Year. He called it Modlishka<\/a>\u2014the English pronunciation of the Polish word \u2018mantis\u2019\u2014and described it as \u201ca flexible and powerful reverse proxy<\/a>\u00a0that will take your phishing campaigns to the next level (with minimal effort required from your side).\u201d It was a tool to aid penetration testers in conducting legitimate\u00a0tests.<\/p>\n

With its release, Duszy\u0144ski emphasized<\/a> the effectiveness and seriousness of social engineering attacks<\/a>. In the wrong hands, a tool like Modlishka can be misused to create a compelling and sophisticated phishing campaign that is significantly easier to use but far more difficult to detect and avoid by users.<\/p>\n

\"\"<\/p>\n

Overview of collected information from a simulated phishing campaign (Courtesy of Piotr Duszy\u0144ski)<\/em><\/p>\n<\/div>\n

How Modlishka works<\/h3>\n

Modlishka sits between the legitimate website it is impersonating and the phishing website the user is seeing.<\/p>\n

For this tool to successfully do its job\u2014and, in turn, for the campaign to work\u2014phishing campaign operators must first make their targets believe that they are on the website they expect to be on so that victims will enter their credentials without suspicion. Any interactions the user makes within the phishing page, including entering credentials, are passed through and recorded by Modlishka first before forwarding them to the legitimate website in real time.<\/p>\n

This tool also prompts the user for tokens when their accounts have 2FA enabled. However, the phisher should be present to intercept the 2FA token\u2014especially if it\u2019s a time-based, one-time password (TOTP)<\/a>\u2014from the user and manually input it to the legitimate website themselves before it expires.<\/p>\n

Assuming everything went smoothly, the user is then redirected to the legitimate website and successfully logged in to conclude the phishing attack. Below is a video of Modlishka in action.<\/p>\n