Back

An Automated 2FA-Bypassing Phishing Tool Is on GitHub - Mobile Identity Roundup for January

February 7, 2019
4 minutes read
Category: Mobile Identity
Author: The IPification Team

The first month of the New Year is already behind us, and you know what that means - it’s time for another round of monthly roundups.

Although some may have expected January to start out slowly, it certainly hasn’t - at least not in the mobile identity industry.

Unfortunately, as predicted, we’ve had a month filled with cyber breaches, internet moguls abusing the power they have in choosing not to respect users’ privacy, and a widely-available tool that can be used to automate phishing attacks that we will start this monthly roundup with.

Reverse Proxy Tool Modlishka Can Easily Automate Phishing Attacks & Bypass 2fa

Modlishka, a tool that can be used to automate phishing attacks, was released on GitHub just a few weeks into the New Year by a Polish security researcher Piotr Duszynski.

For the purpose of his project, he stated wanting to have an easy-to-use tool which would eliminate the need to prepare a static webpage every time he wanted to execute a phishing campaign.

This tool is a reverse proxy modified to handle traffic between legitimate login pages and phishing attacks.

The victims receive authentic content, but all traffic is routed through the Modlishka server so that attackers can collect 2FA tokens & synthesize authenticated user sessions thus eliminating the necessity for cloned login pages to be created.

Modlishka can turn out to be very problematic considering that it is automated and lightweight, meaning that there is little chance the attack would even be detected.

Possibly even worse, the tool was published on GitHub, and although the creator states he doesn’t support malicious use of it - we can’t help but only see the incredible risks brought on by this decision.

Criminals Exploit Flaws in Telecom SMS Protocol to Empty Bank Accounts

Thought only to be within reach of intelligence agencies, a flaw in the SS7 protocol telecom providers use to route calls and SMS messages around the world is now being exploited by criminals who intercept 2FA messages even from the other side of the planet.

It’s happening more often than was previously thought. Motherboard has even identified Metro Bank as one of the banks that fell victim to an SS7 attacks. And they have confirmed this.

The main issue with this protocol is that it doesn’t verify who sent a certain request. Whether it was an intelligence agency or a criminal, the command is treated the same.

As for the actual theft process, it’s the same old scenario.

After gaining a user’s username and password, most likely through a phishing campaign, a criminal would intercept the 2FA code and poof - they’re in.

While these attacks are said to be highly targeted & most likely not a threat to the general public, the vulnerability in itself brings about a certain uneasiness.

Facebook & Google Internal-only Certificates Revoked by Apple After Privacy Scandal

It wouldn’t be a monthly roundup if there weren’t a Facebook privacy breach now, would it? Only this time, Google hasn’t done any better.

The two moguls were revealed by TechCrunch to be misusing an Apple-issued enterprise certificate which enables them to distribute internal apps without having to use the App Store.

Facebook used this certificate to publish and distribute an app called “Research” outside the company. The app allowed them to have access to all network data that was being sent from the device.

It went so far as to even pay users, some of which were teenagers, $20 per month to install this app. If that wasn’t enough, this was actually a repackaged app that was banned from the App Store last year because it was collecting too much user data.

Apple then revoked their certificate which meant that their other employee-only apps were offline until their certificate was re-issued.

It was then revealed that Google’s app Screenwise did pretty much the same thing, so their certificate was revoked as well.

Because these apps are downloaded outside of the stores, they could pretty much dictate this process.

An additional step that they added was the VPN configuration profile which allows all the data going from the phone to go directly to them.

This is where things get interesting.

While Google was only collecting data for research purposes, meaning that the data was encrypted and couldn’t be accessed as long as the network traffic was protected by HTTPS (and the majority is today), Facebook chose to go completely overboard.

Its users had to allow access at the root level of the phone which meant that they could go through all the encrypted traffic flowing out of the device, including your messages, email or any other data going out of your phone. It was basically a “man-in-the-middle” attack.

WhatsApp to Implement Fingerprint Authentication, But Will Users Trust Facebook?

A new update to the WhatsApp is in the works that would allow the app to use the fingerprint stored in your phone as an extra layer of security that users would have to go through to authenticate their mobile identity.

While the messaging app on its own has shown that it is ready to stand up for their users’ right to privacy, it is now owned by Facebook.

Considering the recent history of the social media giant, the question of whether the users will trust them to handle their biometric data.

A Popular Weather App Collecting Personal Data

The free app downloaded more than 10 million times from Google Play, “Weather Forecast—World Weather Accurate Radar” was reported to be collecting suspicious amount of personal data of its users.

Apart from the geographic location, the app was reported to be collecting the users’ email address and International Mobile Equipment Identity (IMEI) number.

Alcatel and Blackberry smartphones actually came with this app pre-installed.

However, it is important to note that this app also has a history of subscribing users to their paid packages without their consent.

Fortnite Authentication Bug Leaking Private Data

Fortnite is one of the most popular games in the world, so it’s no wonder that it has become a frequent target of cyber attacks.

Recently, a flaw in their login system allowed attackers to steal users’ login tokens by having them click phishing links.

Thankfully, the issue has already been fixed so the users didn’t have to complete any action.

Data Breach "Collection #1"  Reveals 773 Million Records

The largest breach to ever be loaded into the Have I Been Pwned website, the sources of the breach seem to be manifold.

Over 12,000 files totaling over 87GB were hosted on the MEGA cloud service. The data was shared on a popular hacking forum, and the name of the data breach comes from the name of its root folder.

The specifics of the data breach, such as the sources, are yet to be confirmed, but it is advised that you go check whether your email address has been pwned and act accordingly.

***

Although 2018 seemed to have been the record-breaking year when it came to these types of issues, it doesn’t look like 2019 will be any slower.

It is vital that we educate ourselves on the prevention of cyber breaches and take measures to protect our mobile identities ourselves.