Hackers Use Automated Phishing Attacks To Bypass 2FA Security On Gmail, Yahoo Accounts

Two-factor authentication (2FA) is usually touted as an effective layer of security for online account. Many people have recently learned the hard way that this method may not be as helpful as it seems. Hackers have targeted nearly 1,000 Google and Yahoo accounts by bypassing two-factor authentication.

Amnesty International, a non-profit group, recently published a report that documented the phishing attacks. The attacks have specifically targeted journalists and activists in the Middle East and North Africa in 2017 and 2018. Amnesty International believes that the hackers are based in Persian Gulf countries.

encryption locked

How does the attack work? First, the attackers sent out convincing “security alerts” to send their victims to fake log-in websites. The phony website then requested a two-factor authentication (2FA) code from the user. Once the hackers received the code, they sent the user a form to change their password. This whole process allowed the hackers to enter the 2FA code into the real Google or Yahoo login page before the code expired.

Amnesty International has been investigating the attackers for several months. They even created a fake email and phone number to test the system. They discovered that the hackers had accidentally made some of their tools public. According to Claudio Guarnieri of Amnesty International, the hackers “built an 'auto-pilot' system that would launch Chrome and use it [to] automatically submit the login details phished from the user to the targeted service.” They also noted that the hackers could also potentially infiltrate 2FA app such as Google Authenticator.

cybersecurity smartphone 1

The attackers also targeted Tutanota and ProtonMail users. They registered domains that closely resembled the legitimate web services’ names and created phony login sites. Amnesty International believes that the hackers were successful because users would expected the legitimate web services to own these sites. Tutanota has requested that the phony website be taken down, while ProtonMail has already succeeded in eliminating the fake site.

Amnesty International noted that journalists and activists are frequently the target of phishing attacks and that it is “important that they are equipped with the right knowledge”. The group still recommends that people use 2FA, but they warn that they should remain vigilant. One malicious app was recently able to steal users' login credentials and 2FA code to drain their PayPal accounts. Always be wary of third-party apps and any unwarranted emails.