• New tool (hosted by Microsoft) automates phishing attacks that bypass 2FA

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » New tool (hosted by Microsoft) automates phishing attacks that bypass 2FA

    Tags:

    Author
    Topic
    b
    AskWoody_MVP
    January 10, 2019 at 2:00 pm #308328

    “Modlishka” automatically creates fake branded web pages which can intercept two-factor authentication:
    New tool automates phishing attacks that bypass 2FA
    (No need to waste time spoofing a carefully-crafted copy at your rogue domain.)

    The tool is available for download from GitHub:
    https://github.com/drk1wi/Modlishka
    2FA bypassing tool Modlishka is on GitHub for all to use

    GitHub was acquired by Microsoft seven months ago:
    Microsoft to acquire GitHub for $7.5 billion

    Microsoft is the #1 brand used for phishing, at hundreds of new fake sites every day:
    Phishers’ Favorites: Microsoft Retains the #1 Spot as Attacks Grow More Targeted

    Nearly two-thirds of all advanced email attacks impersonate Microsoft or Amazon:
    Fake Microsoft & Amazon Dominate Impersonated Brands in Email Attacks

    Modlishka’s author claims it’s for penetration testers to use in phishing test campaigns:
    Phishing NG. Bypassing 2FA with Modlishka.
    (But that seems way beyond what is necessary to filter out gullible users for education.)

    Anyone else find it odd that Microsoft would host this tool which will almost certainly be used maliciously to attack their users and gain access to business networks undetectably?

    6 users thanked author for this post.
    Lori, Fred, Elly, Microfix, ch100, NetDef
    Reply | Quote
    Viewing 5 reply threads
    Author
    Replies
    • OscarCP
      Member
      January 10, 2019 at 2:55 pm #308397

      If this information is correct, perhaps the software came along with GitHub when MS bought it, and they have not realized it was there, or been too slow in removing it, or there are some contractual or legal barriers to doing that?

      In any case, such software does not seem to belong in an open developers’ platform such as GitHub, whatever the good intentions of its creator.

      Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

      Reply | Quote
    • anonymous
      Guest
      January 10, 2019 at 2:56 pm #308396

      It does seems to stem from the same mindset as “Steal this Book” and “burn it all down, man!”

      Really it is probably just another instance where lack of oversight in the name of freedom to distribute has allowed a bad situation. I hope it is rectified soon.

      If there is any element of intent, I would describe it as “disruptive friction”.

      Reply | Quote
    • Microfix
      AskWoody MVP
      January 10, 2019 at 3:05 pm #308412

      Github owner awareness of content probably means:
      That Windows 7 and 8.1 are the safest and greatest OSes Ever! 😛

      Windows - commercial by definition and now function...
      Reply | Quote
    • NetDef
      AskWoody_MVP
      January 10, 2019 at 3:08 pm #308415

      For end-users that use an app or a hardware based U2F key, which times out every key in generally half a minute, the attackers would have to be live monitoring and attacking an account in real time.

      Therefore, we need to overload their proxy with a DDOS . . .  yes?  😀

      ~ Group "Weekend" ~

      Reply | Quote
      • b
        AskWoody_MVP
        January 12, 2019 at 5:58 pm #309436
        NetDef wrote:

        For end-users that use an app or a hardware based U2F key, which times out every key in generally half a minute, the attackers would have to be live monitoring and attacking an account in real time.

        … unless they could automate a login and disabling of 2FA to occur as soon as a security code is captured.

        Reply | Quote
    • MrJimPhelps
      AskWoody MVP
      January 10, 2019 at 3:27 pm #308425
      b wrote:

      GitHub was acquired by Microsoft seven months ago:
      Microsoft to acquire GitHub for $7.5 billion

      It is astounding how much money these big companies have to spend.

      Group "L" (Linux Mint)
      with Windows 10 running in a remote session on my file server
      2 users thanked author for this post.
      Elly, Microfix
      Reply | Quote
      • OscarCP
        Member
        January 10, 2019 at 8:14 pm #308577

        Depending when in the year one looks, MS is today either the highest or the second highest market-valued company in the world, with  a market capitalization of  $821.5 billion:

        https://www.cnbc.com/2018/10/26/amazon-and-alphabet-lose-120-billion-in-market-value.html

        https://qz.com/1503505/apple-microsoft-amazon-the-battle-for-biggest-market-cap-charted/

        They are probably comfortable spending a measly $7.5 billion on purchasing a minor item, such as GitHub.

        Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

        MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
        Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
        macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

        Reply | Quote
    • Paul T
      AskWoody MVP
      January 11, 2019 at 2:02 am #308649
      b wrote:

      Anyone else find it odd that Microsoft would host this tool which will almost certainly be used maliciously to attack their users and gain access to business networks undetectably?

      Implying MS has checked this software and is happy with it is a bridge too far IMO and doesn’t add value to the otherwise important information you have posted.

      cheers, Paul

      Reply | Quote
      • b
        AskWoody_MVP
        January 11, 2019 at 7:03 am #308713
        Paul T wrote:

        Implying MS has checked this software and is happy with it is a bridge too far IMO and doesn’t add value to the otherwise important information you have posted.

        I didn’t realize I had implied that; but I reported it to Microsoft and it’s still there for general consumption, so they are apparently not yet unhappy with it.

        Reply | Quote
    Viewing 5 reply threads
    Reply To: New tool (hosted by Microsoft) automates phishing attacks that bypass 2FA

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.