How Hackers Bypass Gmail 2FA at Scale
A new Amnesty International report goes into some of the technical details around how hackers can automatically phish two-factor authentication tokens sent to phones. If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account.
Hackers can bypass these protections, as we’ve seen with leaked NSA documents on how Russian hackers targeted US voting infrastructure companies. But a new Amnesty International report gives more insight into how some hackers break into Gmail and Yahoo accounts at scale, even those with two-factor authentication (2FA) enabled. They do this by automating the entire process, with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account.
The news acts as a reminder that although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message, with some users likely needing to switch to a more robust method. “Virtually in that way they can bypass any token-based 2FA if no additional mitigations are implemented” Claudio Guarnieri, a technologist at Amnesty, told Motherboard in an online chat. 2FA is adding another layer of authentication onto your account. With token-based 2FA, you may have an app that generates a code for you to enter when logging in from an unknown device, or, perhaps most commonly, the service will send a text message containing a short code that you then type into your browser.
This sort of 2FA is great for protecting against password reuse. That is, if a hacker obtains one of your passwords from a data breach, and then tries that password on your other accounts, if you have 2FA enabled the hacker is probably not going to break in without taking some further steps. Many lower level hackers are likely to just stop trying at that point. But token-based 2FA is not a failsafe. It’s increasingly clear that as well as trying to steal your passwords through deceptive phishing pages, hackers may try and pinch your 2FA code too. And by automating the process, hackers can steal and use your 2FA token just like you would, entering it into the legitimate Google site or another one in seconds.
In this latest case documented by Amnesty, it estimates hackers have targeted more than a thousand Google and Yahoo accounts across the Middle East and North Africa throughout 2017 and 2018. The attacks are likely originating from among the Gulf countries, and display similarities to a hacking campaign that researchers at Citizen Lab found that targets dissidents in the United Arab Emirates, Amnesty’s report reads. The phishing starts normally, with a fake Gmail page asking the target for their password. Once the target enters that, the hacker’s infrastructure directs the victim to another page, alerting them that they had been sent a 2FA code via SMS to the phone they registered to their account. “Sure enough, our configured phone number did receive an SMS message containing a valid Google verification code,” Amnesty’s report reads. The phishing page then asks the victim to enter their 2FA code. Some phishing pages asked the victim to verify their phone number, while others did not, Guarnieri said.
https://motherboard.vice.com/en_us/article/bje3kw/how-hackers-bypass-gmail-two-factor-authentication-2fa-yahoo
Read Amnesty report here:
https://www.amnesty.org/en/latest/research/2018/12/when-best-practice-is-not-good-enough/