Home / Industry

New Phishing Tools Can Now Bypass 2-Factor Authentication

Two-factor authentication (2FA) is an essential safety measure that stops unauthorized access to an account. It was invented to provide an additional layer of security to the usual log-in procedure of providing one’s username and password, which is now considered by many as obsolete and unsecured.

A common example of 2FA in action is when you attempt to log in to a familiar site from a different machine or location. When you try logging in, the 2FA protocol kicks in and sends you an SMS with a verification code that you need to enter to complete the log-in procedure.

Yet despite its numerous applications and popularity, 2FA isn’t a silver bullet in thwarting all types of cybercrime. This is especially true with regard to cases such as phishing.

Can 2FA Prevent Phishing Attacks?

In most cases, it does but it is in no way guaranteed. Although once highly regarded as an effective way of preventing unauthorized access, the latest developments in the threat landscape are swaying opinions on 2FA otherwise. It can still be used as an extra, low-cost security layer, but relying on it alone won’t prevent all types of phishing attacks from being successful.

Several methods exist that can allow attackers to bypass 2FA. For example, a person who is redirected to a phishing page inputs his credentials while a threat actor captures these in real-time. A 2FA code is sent to the user, which he then enters into the phishing page, consequently revealing this to the attacker who uses this same code to log in to the legitimate website.

Even worse, this data-stealing process now comes with a recently released phishing tool created by Piotr Duszynski, a Polish researcher. Duszynski named this tool “Modlishka.“It works as a reverse proxy customized to handle traffic that flows through log-in pages. What it does is that it sits between the would-be victim and the phishing website. Whenever a user accesses the phishing page that hosts Modishka, it serves content coming from the legitimate site while sniffing all of the traffic that passes through it, including users’ sensitive details.

In a nutshell, the tool automatically replicates the manual 2FA bypassing procedure mentioned above. The attack would require hackers to have a domain, a valid Transport Layer Security (TLS) certificate, and a copy of Modishka. They do not need a phishing template because they can easily copy the contents of the website they intend to phish.

What Other Controls Can Stop Such Phishing Attacks?

There are several methods one can take in order to protect against various types of phishing schemes. A common solution is to employ an advanced spam filter that can prevent phishing emails from arriving in one’s inbox. Many such reliable software are available, most of which can block as much as 99% of spam and phishing emails.

However, there are still cases where malicious emails can bypass spam filters, and it only takes one to compromise the victim’s accounts. That is why security awareness training and education is important, especially for enterprises with huge workforces. All of the employees of an organization must be taught to identify and verify suspicious emails so they can avoid becoming a phishing victim.

Web filters can also be used to automatically block access to known phishing websites in real-time. These can be quite handy since anyone can still make mistakes and be fooled by highly realistic phishing emails.

* * *

As you can see, 2FA is still a great cybersecurity measure to help protect against unauthorized access. It, however, isn’t a magic solution to stop all kinds of cyber attacks, especially those that use complex tools and tactics. That is why companies today should still apply other safety solutions and packages to avoid being a victim of threat actors.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC