Modlishka automated phishing tool intercepts and 2FA

Modlishka: A new penetration testing tool can automate phishing attacks. The new tool can also hack accounts that are protected from audit two-factor authentication (2FA).

It is called Modlishka and was developed by Polish researcher Piotr Duszyński.


Modlishka is the tool that the researchers call a reverse proxy, but it has been modified to handle traffic to landing pages (h) and the procedures of electronic "phishing"

"Park" between the legitimate user and the page that the hacker is interested in violating (Gmail, Yahoo or ProtonMail). The victims of cyber-fishing are connected to the Modlishka server and the reverse proxy running from behind sends the requests to the original site.

Thus the victim receives authentic content from the normal website, but all the traffic and all the victim interactions pass and are registered on the Modlishka server.

Of course all the passwords entered by the user are automatically recorded in the Modlishka panel, while the reverse proxy urges users to use 2FA tokens.

If attackers are on hand and collect these 2FA tokens in real-time, they can use them to log into victims' accounts and proceed with immediate of the password.

The following shows how a phishing website using Modlishka perfectly loads the content from the real Google login page.

Due to its simple design, Modlishka does not use "standards", a term used by phishers to describe clones of legitimate sites. But all content is retrieved from the legal site in real time, so attackers do not have to spend a lot of time updating the templates.

Attackers still need one phishing (to host Modlishka's server) and a valid TLS certificate.

Modlishka is currently available at GitHub with open source license. More exist in blog of Duszyński.

Images - Catalin Cimpanu ZDNet Information

_____________________ The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by giorgos

George still wonders what he's doing here ...

One Comment

Leave a Reply
  1. Even if you have a valid tls certificate you can not know the private key of the domain you are attacking so if the server has ssl (tls) you will not be able to see what data is exchanged client - server because it is encrypted…

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).