Phishing Attacks that Bypass 2FA Just Got Easier

In mid-December, human rights organization, Amnesty International reported having been the victim of two phishing campaigns, likely by the same attackers. Amnesty reported the attackers bypassed two-factor authentication (2FA) methods to steal credentials to obtain and maintain access to hundreds of victim’s Google and Yahoo accounts. Two weeks later, a Polish researcher released a tool into open source that will make attacks like what happened to Amnesty International much more common, and dangerous. The tool, named “Modlishka,” has been released for (and with) good-intentions; however, like many that have come before it (e.g., Shodan, Censys, Metasploit), it is also available to any “script-kiddie” with a computer and little to no technical skills. Modlishka enables anyone to set up automated phishing campaigns within minutes. The researcher’s goal in releasing this tool to the public is in part to raise the level of awareness at how trivial it is to bypass 2FA based on SMS and one-time codes, in hopes the threat will be better addressed through more efficient controls, such as U2F-based schemes that rely on hardware security keys, and increased awareness training. ZDNet