Akamai Diversity

The Akamai Blog

Phishing Tool Analysis: Modlishka

Additional research and support provided by Danny Wasserman.

Overview

One of the goals of phishing sites is to lure individuals into providing sensitive data, such as personally identifiable information, banking and credit card details, and passwords, through the use of email, SMS, social media, and messaging apps. This information is then used to access important accounts and can result in identity theft and financial loss.

A good example of phishing came from an email received by Akamai security researcher Larry Cashdollar back in December. The effort was novel because it was an attempt to collect his Google and Facebook credentials using Google Translate as a proxy. Larry analyzed the techniques used in this phishing attack on a previous blog post.

Building on the research from Larry and others at Akamai, we are examining Modlishka, a flexible and powerful reverse proxy that can be used to support phishing campaigns. This open source tool was developed for ethical hacking purposes to help penetration testers to carry out phishing campaigns, reinforce the fact that serious threats can arise from phishing, and also to raise community awareness about modern phishing techniques and strategies.

Tool Analysis

While Modlishka was developed for ethical hacking and academic uses, it demonstrates the capabilities of similar phishing kits sold on the black market. In most phishing attacks,  attackers take advantage of vulnerable Internet hosts to install phishing kits that mimic legitimate websites. These fake websites then collect credentials and sensitive information from legitimate users.

This tool is more powerful than the average phishing kit, because it does not require website templates since it acts as a reverse proxy between the legitimate site and the victim.

According to the tool's main developer, Piotr Duszynski, Modlishka aims to:

  • Help penetration testers to carry out an effective phishing campaign and reinforce the fact that serious threat can arise from phishing.
  • Highlight current 2FA weaknesses, so adequate security solutions can be created and implemented soon.
  • Raise community awareness about modern phishing techniques and strategies.
  • Support other open source projects that require a universal reverse proxy.

 mod one.jpg

Figure 1: Modlishka proxy in action

The screenshot above shows Modlishka in action against a standard 2FA (SMS) enabled authentication scheme, using Google as a proof of concept. The tool's author shows a video of this that demonstrates credentials harvesting and user session impersonation. In the video, everything appears to look legitimate (besides the phishing domain URL in the browser's address bar), though Modlishka is proxying traffic between the user and Google.

According to the tool's Github page, some of Modlishka's features include:

  • Support for majority of 2FA authentication schemes
  • No website templates, the tool acts as a proxy between the end user and the real website
  • JavaScript payload injection
  • Stripping website from all encryption and security headers
  • User credential harvesting
  • Web panel with a summary of collected credentials and user session impersonation

Configuration Files

The tool can use JSON configuration files for its target domains. The configuration file includes settings the user can specify such as Phishing Domain, Target, Log File, and Certificate settings, among others. The following is a sample configuration running on the loopback IP address and targeting https://target-victim-domain.com:

mod two.jpg

Figure 2: Sample configuration file

For a detailed explanation of the configuration parameters, see the tool's "How to use" page.

Logging

Harvested credentials can be viewed as the tool proxies the requests, in real time. They also can be accessed by viewing the log file or via one of the included plugins, which includes session impersonation (beta). The screenshots below show examples of these features.

mod three.jpgFigure 3: Harvested credentials in real time

mod four.pngFigure 4: Harvested credentials panel

About 2FA

Two-Factor Authentication (2FA) is often used as a mechanism to prevent credential abuse attacks, since attackers usually only have one. Since this tool proxies the traffic between the user and the legitimate target website, instead of  sending the user to a fake phishing site (which is a common attack vector), it is possible to intercept two factor authentication tokens so the user would be able to successfully authenticate. The user can then browse the website without knowing their credentials have been stolen. Therefore, 2FA is not a possible mitigation against this tool and users must always verify that the domain of the URL they are accessing is expected and not a malicious phishing site.

Protection recommendations

In the Akamai publication "What is Phishing?", we discuss recommendations to reduce the risk of phishing impacting your business. One of the most important recommendations is to educate end users. End users should be able to recognize, avoid, and report the various types of phishing. Phishing exercises and awareness training help employees get familiarized with the tactics used by threat actors and how to respond to them.

Recommendations for End Users

Larry Cashdollar advises that the best defense is a good offense, and that means taking your time to examine the email fully before taking any action. Furthermore, using a password manager like LastPass or 1Password can help prevent entering credentials into a phishing web page because the URL would not match the legitimate website saved in the password manager's secure vault. Below is some guidance from www.phishing.org on identifying phishing emails.

Common Features of Phishing Emails

  1. Too Good To Be True - Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people's attention immediately. For instance, many claim that you have won an iPhone, a lottery, or some other lavish prize. Just don't click on any suspicious emails.
  2. Sense of Urgency - A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it's best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email.
  3. Hyperlinks - A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance www.akarnai.com - the 'm' is actually an 'r' and an 'n', so look carefully.
  4. Attachments - If you see an attachment in an email you weren't expecting or that doesn't make sense, don't open it! They often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .txt file.
  5. Unusual Sender - Whether it looks like it's from someone you don't know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don't click on it!

Recommendations for Enterprise Defenders

Enterprise defenders should also be on the lookout for phishing campaigns. The most recent SOTI report presents data that shows that 34% of the phishing domains detected by Akamai from December 2018 to May 2019 were targeted at enterprises.

OWASP has a number of recommendations for cybersecurity practitioners in regards to phishing, including:

  • User Education: Users are the primary attack vector for phishing attacks. Without training your users to be wary of phishing attempts, they will fall victim to phishing attacks sooner or later.
  • Make it easy for your users to report scams: Monitor abuse@yourdomain.com and consider setting up a feedback form.
  • Fix all your XSS issues: Do not expose any code that has Cross-site Scripting (XSS) issues, particularly unauthenticated code.
  • Never ask your customers for their secrets: Scammers will often ask your users to provide their credit card number, password or PIN to "reactivate" their accounts.
  • Work with law enforcement: The only way to get rid of the problem is to put the perpetrators away. Work with your law enforcement agencies - help them make it easier to report the crime, handle the evidence properly, and prosecute.

For a detailed list of recommendations please see: https://www.owasp.org/index.php/Phishing

Enterprise Threat Protector

Akamai customers using Enterprise Threat Protector (ETP) can proactively identify and block targeted threats such as phishing, malware, ransomware, and DNS-based data exfiltration. ETP allows for improving security defenses by proactively blocking requests to malware and ransomware drop sites, malware command and control (CnC) servers, and DNS data exfiltration and phishing domains and URLs based on unique and up-to-date threat intelligence. ETP supports blacklisting domains to be blocked from the network.

mod five.pngFigure 5: ETP Dashboard

For more information about ETP, ask your Security Services Primary to set up an ETP trial as part of your next security checkup. They can also share Akamai's self-journey in using these enterprise technologies to protect our own organization.