What Does it Mean that Tools for Automated Phishing Attacks Have Emerged

Phishing has always been considered one of the simplest types of cybercrime. In recent years, phishing toolkits and templates have made the task of tricking victims into giving away their usernames and passwords even easier. Nevertheless, the said toolkits have never really been plug-and-play. Until now, it seems.

As people become more wary of online threats, scammers must also put more effort into their creations. With a traditional phishing kit, a phisher would have to do quite a lot of configuration before the page is deployed. The fake login pages need to be more convincing than ever, and they need to be protected by an SSL certificate. What's more, scammers need to ensure that the stolen credentials are checked before being properly logged, and if they really want to be successful, they should find a way of beating two-factor authentication (2FA). Thanks to a new tool that was published at the beginning of the year, many of these chores can be eliminated.

Meet Modlishka, the ultimate phishing tool

Modlishka is the Polish word (or at least its English pronunciation) for Mantis. It's also the name of a new phishing tool developed by penetration tester Piotr Duszyński.

With Modlishka, launching a phishing campaign can be as simple as setting up a domain and running a few commands. Essentially, the tool acts as a reverse proxy that sits between the user and the website they think they are accessing. The phisher doesn't need to create or set up any fake pages because Modlishka essentially presents the victim with the original login form. Using the right credentials, users log in and continue about their business as they normally would. Unbeknownst to them, however, all the traffic passes through Modlishka, meaning that usernames, passwords, and other details are immediately exposed.

Even 2FA is no match for Modlishka

Two-factor authentication is the archenemy of traditional phishing. Its purpose, as we're sure you know, is to ensure that crooks can't break into your account using just your login credentials. For the most part, it does its job well, but if Modlishka is involved, most of its traditional forms are as good as useless. Once again, this is because the victim sends the 2FA codes through the reverse proxy, and phishers get them in real-time.

Regardless of whether the codes are sent via SMS or generated by an app, they can be stolen. The only form of 2FA that isn't affected by Modlishka is U2F.

How can you avoid falling victim to Modlishka?

As clever as Modlishka is, it can't fool you if you are careful enough. In order to work, it needs to be hosted on a domain, and this domain will never be identical to the domain of the legitimate website. So, just like regular phishing, avoiding Modlishka is dependent on your diligence. Always double check the URL in the address bar of your browser and avoid clicking links you're not sure about. The key here is not falling for the scam in the first place because if you do, there will be nothing to tell you that crooks are stealing your login data.

Publishing Modlishka was a controversial move

As a penetration tester, Piotr Duszyński's job is to ensure that organizations and users are more resilient to cyberattacks. Most of his work revolves around simulations, and the fact that he created the tool is not surprising at all. The fact that he made it accessible to everyone, however, is a bit puzzling.

Modlishka can be downloaded from GitHub, and just in case you don't know how to use it, Duszyński has garnished it with easy-to-follow instructions. Right now, even the most incompetent script kiddie (a jargon term for wannabe cybercriminals that have little skills and a big desire to break things on the internet) can take what is a very powerful phishing tool and use it to wreak considerable havoc. Why did Duszyński make Modlishka public?

He told ZDNet that without a working tool that everyone can test for themselves, the concept would have been treated as theoretical, and that with Modlishka he's raising awareness around the insecurity of code-based 2FA systems. We'll let you decide for yourselves whether this is a good enough reason.