Pierluigi Paganini December 25, 2018

Amnesty International warns of threat actors that are launching phishing attacks aimed at bypassing Gmail, Yahoo 2FA at scale

Amnesty International published a report that details how threat actors are able to bypass 2FA authentication that leverages text message as a second factor.

Attackers are using this tactic to break into Gmail and Yahoo accounts in large scale attacks.

2FA processes that are based on a text message are very popular because they are simple to use.

Amnesty experts monitored several credential phishing campaigns targeting individuals across the Middle East and North Africa.

In one campaign, threat actors targeted accounts on popular secure email services, such as Tutanota and ProtonMail.

In another campaign, hackers targeted hundreds of Google and Yahoo accounts, “successfully bypassing common forms of two-factor authentication”.

Amnesty International reported widespread phishing of Google and Yahoo users throughout 2017 and 2018. Attackers targeted human rights defenders and journalists from the Middle East and North Africa region that sharing with the organization suspicious emails they have received. Investigating the emails, the experts uncovered a large and long-running campaign of spear-phishing attacks seemingly originating from the United Arab Emirates, Yemen, Egypt and Palestine.

The attackers used trivial sophisticated social engineering tricks that leveraged common “security alert” scheme. Victims receive fake alarms informing targets of a potential account compromise and asking them to urgently change their password.

The phishing messages included a link that redirected victims to a well-crafted and convincing Google phishing website designed to trick victims into revealing the two-step verification code.

“Sure enough, our configured phone number did receive an SMS message containing a valid Google verification code. After we entered our credentials and the 2-Step Verification code into the phishing page, we were then presented with a form asking us to reset the password for our account. ” continues the analysis.

“To most users a prompt from Google to change passwords would seem a legitimate reason to be contacted by the company, which in fact it is. “

Threat actors were able to automate the attack and take over the accounts of the victims.

Additional information on the phishing attacks, including IoCs, are reported in the analysis published by Amnesty International.

Pierluigi Paganini

(SecurityAffairs – 2FA, phishing attacks)

[adrotate banner=”5″]

[adrotate banner="13"]