29th January 2019
Modlishka, which acts as a point and click 2FA-busting phishing attack exploit kit, has been released onto GitHub by the developer.
Regardless of the purpose of many security tools that are released either open-source or commercially there will always be a split between black-hat and white-hat usage. Where penetration testing tools, such as this phishing tool, are released to the public this can open the door to organizations (that may not have granular and subject-matter expertise) to be able to perform their own internal phishing engagements, or for third-party security professionals to be able to perform these sorts of assessments more easily. The tools that are released by security researchers are always the ‘tip of the iceberg’ in relation to what is already used by black hats. Many hacking organizations would already have some sort of framework or process for performing spear-phishing or mass-phishing attacks with relative ease, so this would, of course, allow them to implement this within their arsenal; however, the Modlishka toolset (and others like it) would more than likely be used by white-hats and their red-teams.
However, there are certainly still real-world risks associated with releasing security frameworks and tools. The first and foremost is opening the door to wider threat actors due to the simplicity of the setup and execution of tools such as the Modlishka phishing framework. For any attackers actively deploying a phishing campaign, there are already many pathways, tools, and other resources available online to provide a baseline for these engagements.
Overall, I would say that the benefits of these penetration testing tools being released open-source far outweigh the potential risks associated with them, primarily because security professionals of all experience levels now have the ability to see what is possible, can repeat the attack process themselves and actively implement a mitigation plan following this.
Attacks performed using the Modlishka, or similar penetration testing tools, are, at the heart of it, simply phishing platforms. There are many different systems out there that provide some form of website duplication functionality, others that can handle two-factor authentication forwarding or code harvesting. The main mitigation that organizations can implement is a strong security awareness programme internally. Educating staff to the risks, ideally with examples of an attack, can greatly improve the baseline security posture of your organization. Users should ensure that they check the URLs of the pages they are visiting, comparing the expected URL against the one shown in the browser. They should also be made aware of when emails are sent from an external domain in the case of an attacker emulating a corporate resource, which a technical control can be integrated via an email rule prepending an email’s content with “THIS IS AN EXTERNAL EMAIL” or something similar.
Multi-factor authentication is a must-have in organizations that value a strong security posture. There is also a multitude of third-party solutions that aim to aid in phishing mitigation, such as utilizing threat-intelligence feeds or honeypot email addresses against the sender’s email address. Some web browsers also have an integrated ‘bad domain’ check, where any untrusted domains or websites reported as being a security risk present a warning message to the user.