With every new hack, it’s becoming clearer that older forms of two-factor authentication (2FA) are no longer the reassuring security protection they once were.

The latest and perhaps most significant is that researcher Piotr Duszyński has published a tool called Modlishka (Polish: “Mantis”) capable of automating the phishing of one-time passcodes (OTPs) sent by SMS or generated using authentication apps.

On one level, Modlishka is simply a tool that sits on the same server as a phishing site capturing any credentials and 2FA tokens the user can be tricked into sending it.

But instead of cloning the phished site (Gmail, say), it behaves like a reverse proxy, cleverly feeding the user content from the real site to make an attack look more convincing.

The user thinks they are interacting with the real site because they are – Modlishka, meanwhile, proxies all of this without the user realising.

A video demo shows how Modlishka could be used to phish a Google user but it could just as easily be used against any service where the same authentication is in use.

Explains Duszyński:

This tool should be very useful to all penetration testers, that want to carry out an effective phishing campaign (also as part of their red team engagements).

Was it right to publish such a powerful tool? Arguably, yes. When used for its intended purpose – simulating phishing attacks against 2FA as part of a penetration or social engineering test – it offers an important insight into the vulnerability of this type of security.

As for being used by cybercriminals, there are probably plenty of other tools that can do a similar job given that phishing OTP codes isn’t a new technique.

Within days of one another in December, separate reports emerged of attacks where phishing had successfully been used to obtain OTP codes as part of targeted campaigns.

The first was against high-value US targets, while the second was documented by Amnesty International as having been part of a campaign to break into the email accounts of over 1,000 human rights campaigners.

Ambitiously, the latter attempted to crack email services such as ProtonMail and Tutanota, which have additional layers of security and log all accesses.