It is time for another reminder that email continues to be a threat vector despite numerous attempts at securing the internet-borne service that the vast majority of us use.

Take over someone's email address, and it's very likely you'll get access to heaps more than just their personal and professional correspondence.

A compromised email account can open the door to multiple services that use the address as the login name, a bad practice that refuses to die.


Thanks to massive data breaches over the past few years, hackers probably know your email already and maybe your password too.

The way to stop attackers from breaking into your account is two-factor authentication (2FA) which means you enter your login credentials, and then a unique, single-use code that's either sent to you via a different channel, or an app.

Without the correct code, nobody can log in to your account.

Where there's a will there's a way though. At the beginning of the year, a Polish developer released an elegant tool called Modlishka (Mantis) that takes bypassing 2FA very simple indeed.

Modlishka is used in phishing attacks whereby targets are sent a link that looks like it leads to a legitimate, known and trusted website like Gmail.

Instead, the link goes to the attackers site which is an indistinguishable digital copy of the real one.

Next, users are asked to log in and enter the 2FA code that Modlishka passes on to the real site and receives a token that logs in both the target and the attacker. You can guess what happens next.

Phishing with Modlishka (bypass 2FA) from Piotr Duszynski on Vimeo.


Security researchers I spoke to said that while a fair bit of tweaking is necessary to counter Google and other providers changing their threat detection heuristics, Modlishka works and isn't even new. Similar software is already in use by infosec testers, and also by "Advanced Persistent Threat" (ATP) or nation-state hackers.

The standard advice here is to check the link or uniform resource locator (URL) to make sure that your browser connects to the right site. However, phishers work around that by using áçćêńtęd and non-English language characters in URLs, which can be very hard to spot.

Since it's almost impossible to exist on the internet without an email address, what can you do to protect yourself against Modlishka and similar phishing tools?

First, keep on using 2FA for all your logins. Despite the weaknesses above, 2FA makes it much harder to take over your accounts, which is why attackers have to create deceptions like Modlishka.

Second and this is what security industry professionals recommend, start using hardware tokens or keys to authenticate yourself.

Popular web browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox and Opera support the FIDO Alliance Universal 2nd Factor (U2F) standard, and so do other services.

Then you'll need to fork out $55-$75 for a compatible hardware device from companies such as Yubico or Google, enable U2F, swear quietly over the additional login complication and making sure that you have a backup key in case you lose the original one.

Hardware keys bump up your login security considerably, but they're not invulnerable.

Somewhere out there a creative person will spot a non-obvious way to get around hardware key protection through weaknesses in perhaps not the devices themselves but the systems they connect to.

Either that, or an attacker will simply contact tech support, pretend to be you and ask them to turn off 2FA on your account. Ah well; at least you tried.