Automated phishing attack tool bypasses 2FA protection

But don’t let Modlishka make you give up on 2FA just yet…

Graham Cluley
Graham Cluley
@[email protected]

Automated phishing attack tool bypasses 2FA protection

Security researcher Piotr Duszyński has created something that is equally impressive and disturbing: a tool that helps criminals automate their phishing attacks *and* bypass two-factor authentication (2FA).

In a blog post, Duszyński describes his newly-released reverse proxy Modlishka tool could make phishing campaigns not only convincing, but also easier to setup than ever before.

Usually, fraudsters dupe a victim into entering their credentials onto a phishing website by duplicating the look-and-feel of the genuine site as closely as possible.

Sign up to our free newsletter.
Security news, advice, and tips.

Modlishka, however, sits on a web server and grabs content from the genuine website that it wishes to impersonate – producing a perfect replica. Then, as a victim enters their username, password, and other sensitive information on the criminal’s server, the data is also passed to the genuine website – making it appear as though they have completed a perfectly normal and successful login.

In a demonstration video, Duszyński demonstrates how a phishing website can convincingly dupe a Google user into entering their username, password, and 2FA code.

It’s worth recognising that such a phishing attack could be used against any website – not just Google.

So, do the existence of tools like Modlishka mean our online accounts are doomed?

Thankfully not.

Some things to consider:

  • 2FA codes are often time-restricted, often changing after 30 seconds. Your password may have been grabbed, and your account accessed, but the 2FA code only has a short shelf life. Depending on whether a criminal is monitoring the attack in real-time or not, or whether they have automated ways to gain permanent access to your account, the compromise may be limited.
  • Modlishka will not work against accounts protected by U2F hardware security keys, such as those often recommended for high-risk targets such as journalists, politicians, and CEOs.
  • Good password management solutions continue to be a strong defence against this and other types of phishing. A password manager won’t prompt to enter your passwords on a domain that it does not recognise – meaning that even if a phishing site looks like a genuine webpage, it won’t offer to enter your credentials unless it recognises the URL in the browser bar. Phishing prevention is one of the best reasons to run a password manager, but often overlooked.

Phishing domain

My advice? Continue to use password managers, unique passwords, and enable 2FA wherever possible.

Nonetheless, Modlishka does represent a worryingly-easy way to create highly convincing phishing sites that are capable of bypassing the two-factor authentication used by some security-aware users.

Many involved in protecting users from phishing attacks will question the wisdom of Duszyński’s decision to publish his tool.

Modlishka may help raise awareness of the danger of reverse proxy phishing attacks, but it’s easy to imagine that many criminals will be tempted to put it to malicious use.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Automated phishing attack tool bypasses 2FA protection”

  1. Bob

    He did all that from the same computer.
    Did he enter the code again?
    Isn't Google Auth one-time use tokens?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.