Hardware keys needed to beat phishing: researcher

Phishing attacks have become sophisticated enough in exploiting weaknesses in multi-factor authentication systems that researchers are recommending the use of hardware keys for additional login security.

Google TItan hardware security key.

Tools to bypass standard multi-factor authentication where login codes are sent out-of-band are now readily available, allowing for automated attacks against user accounts.

At the beginning of January, developer and security researcher Piotr Duszyński published his Modlishka (mantis) reverse proxy on Github, which can be used to bypass the majority of two-factor authentication (2FA) systems in conjunction with phishing attacks.

Modlishka was designed to make phishing attacks against 2FA protected account logins such as those used by Google as effective as possible, Duszyński said.

"Over many years of my penetration testing experience, I have found ‘social engineering’ the easiest and most of effective way to get a proper foothold into the internal network of my customers," the researcher said.

With phishing and social engineering attacks via phone calls and emails there's no need to use up valuable zero-day exploits to get through sophisticated security defences protecting network perimeters, Duszyński said and added that many nation-actor advanced persistent threat (APT) groups think the same.

A security industry source who spoke to iTnews anonymously explained that Modlishka proxies the attacker and victim on the same system.

Targets are tricked to click on a link that looks deceptively similar to a legitimate resource, but leads to the attacker's Modlishka installation instead.

It exploits the way authentication works, with username, password, and 2FA code being entered via the proxy site, This mimics the look of a legitimate site and presents the real login box for e.g. Gmail.

Once the user has entered the credentials for the site along with the 2FA code delivered via short messaging service texts, or generated via a one-time passphrase app, authentication is completed and Modlishka acquires the session cookie for the login.

This leaves the victim logged into the site via the proxy and also allows the attacker to use the compromised site, the security industry source said. The proxy also fudges headers sent to the site, so as to avoid detection of multiple browsers being logged in which would invalidate the session cookie and force a reauthentication.

The security industry source said there are several other tools similar to Modlishka that are used by penetration testers.

Phishing attacks using reverse proxies that bypass standard 2FA protections are difficult to defend against. While Google and other companies change their heuristics and break pen-testers' tools, it's relatively easy to figure out what is causing the impersonation of real users to fail and make the attacks work again, the source explained.

To avoid Modlishka-style phishing attacks, people should use hardware FIDO Alliance Universal 2nd Factor (U2F) keys that are supported by their browsers, such as Yubikey and Google Titan, both Duszyński and the security industry source recommend.

There's little users can do to defend against account takeovers however if attackers persuade service providers to turn off 2FA.

YouTube vlogger Unge discovered this when Twitter support turned off 2FA for his account on behest of an attacker using the moniker 0rbit, German tech publication Golem reported.

0rbit had managed to hack Unge's Gmail account, which did not have 2FA enabled and contacted Twitter support via email to remove the additional login protection measure for the social network.

Once he had access to Unge's Twitter account with two million followers, 0rbit used it to promote data breaches he had found.

Unge was locked out of this Twitter account by 0rbit, but has now had his access restored to it.