Amnesty International warns of threat actors that are launching phishing attacks aimed at bypassing Gmail, Yahoo 2FA at scale
Amnesty International published a report that details how threat actors are able to bypass 2FA authentication that leverages text message as a second factor.
Attackers are using this tactic to break into Gmail and Yahoo accounts in large scale attacks.
2FA processes that are based on a text message are very popular because they are simple to use.
Amnesty experts monitored several credential phishing campaigns targeting individuals across the Middle East and North Africa.
In one campaign, threat actors targeted accounts on popular secure email services, such as Tutanota and ProtonMail.
In another campaign, hackers targeted hundreds of Google and Yahoo accounts, “successfully bypassing common forms of two-factor authentication”.
Amnesty International reported widespread phishing of Google and Yahoo users throughout 2017 and 2018. Attackers targeted human rights defenders and journalists from the Middle East and North Africa region that sharing with the organization suspicious emails they have received. Investigating the emails, the experts uncovered a large and long-running campaign of spear-phishing attacks seemingly originating from the United Arab Emirates, Yemen, Egypt and Palestine.
The attackers used trivial sophisticated social engineering tricks that leveraged common “security alert” scheme. Victims receive fake alarms informing targets of a potential account compromise and asking them to urgently change their password.
The phishing messages included a link that redirected victims to a well-crafted and convincing Google phishing website designed to trick victims into revealing the two-step verification code.
“Sure enough, our configured phone number did receive an SMS message containing a valid Google verification code. After we entered our credentials and the 2-Step Verification code into the phishing page, we were then presented with a form asking us to reset the password for our account. ” continues the analysis.
“To most users a prompt from Google to change passwords would seem a legitimate reason to be contacted by the company, which in fact it is. “
Threat actors were able to automate the attack and take over the accounts of the victims.
Additional information on the phishing attacks, including IoCs, are reported in the analysis published by Amnesty International.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.