MFA Foiled by Reverse Proxy Tool “Modlishka”

Polish researcher Piotr Duszyński developed a reverse proxy tool named Modlishka that can capture user credentials and multi-factor authentication (MFA) tokens in a simple, automated manner, making it highly accessible to those with little skill. Modlishka sits between the client computer and the client’s target destination, for example, Google. The client believes they are connecting directly to Google to log in, when, in fact, Modlishka’s fake domain presents the user with legitimate Google content and intercepts any information entered into the login page, including their MFA code. If present at the time of interception, the threat actor can use the obtained MFA token to log in to the user’s account before it expires, giving the threat actor complete access to the account and potential access to other accounts that utilize the same credentials. Users may even be directed back to the legitimate website after logging in to avoid any suspicion. To protect yourself against these attacks, the NJCCIC advises users to avoid clicking on links in emails to visit sites requiring the input of account credentials and, instead, manually type web addresses into your browser and inspecting URLs for legitimacy. For more details on Modlishka, visit the GitHub webpage and review the ZDNet blog post.

AlertNJCCIC