Securing online accounts with the two-factor authentication is not the effective way anymore. One mysterious group has been defeating the account protection in attempts to phish upwards of 1,000 people, according to the human rights group Amnesty International.
The group has published a report documenting the phishing attacks. It has targeted journalists and activists based in the Middle East and North Africa through the use of phony emails and login pages.
The goal behind the attacks has been to trick victims into handing over access to their Google and Yahoo accounts, even when two-factor authentication is in place. “What makes these campaigns especially troubling is the lengths to which they go to subvert the digital security strategies of their targets,” Amnesty International said in its report.
Unfortunately, the special passcodes generated by two-factor authentication systems are usually just a string of random numbers, which can make them easy to Phish.
Amnesty International said the group of hackers they’ve been tracking pulls this off by sending out fake but convincing security alerts that look like they came from Google or Yahoo. The alerts will claim the victim’s account may have been breached and provide a link to an official-looking login page to initiate a password reset.
Amnesty International said, “To most users, a prompt from Google to change passwords would seem a legitimate reason to be contacted by the company, which in fact it is,”. But in reality, the login pages are fake.
The hackers created the phony process to both phishes the victim’s password and the special two-factor authentication code. Amnesty International has been investigating the scheme based on suspicious emails the group has been receiving from human rights activists and journalists. To test out the attacks, the group created a disposable Google account and then clicked through one of the phishing emails.
Amnesty said in its report, “Sure enough, our configured phone number did receive an SMS message containing a valid Google verification code,”.
The information revealed that the hackers were using web application testing tools to automate the phishing process.
Claudio Guarnieri, a technologist at Amnesty, said in a tweet, “Essentially, they built an ‘auto-pilot’ system that would launch Chrome and use it [to] automatically submit the login details phished from the user to the targeted service, including two-step verification codes sent for example via SMS”.
Essentially, they built an "auto-pilot" system that would launch Chrome and use it automatically submit the login details phished from the user to the targeted service, including two-step verification codes sent for example via SMS. pic.twitter.com/iUzvtDtUiy
— nex (@botherder) December 19, 2018
The hackers’ automated process is important because it lets them input the special one-time passcode into the real Google or Yahoo login page before the time-limit on the passcode runs out.