Skip to content ↓ | Skip to navigation ↓

Phishers are bypassing common forms of two-factor authentication (2FA) in a campaign targeting hundreds of Google and Yahoo accounts.

In a new report, Amnesty International uses several attack emails sent to it by Human Rights Defenders (HRDs) spread across the Middle East and North Africa to analyze the campaign.

A typical attack email in this campaign begins with a fake security alert informing the target of a potential Google account compromise. The email contains a link that claims to sign a user out of all web sessions when clicked. In actuality, it directs them to a phishing page that asks for their password. Entering this information redirects the victim to another page where they are prompted to enter in a 2-step verification code if the service is enabled. The recipient then receives a valid Google verification code via SMS.

A screenshot of the Google 2FA code phishing page. (Source: Amnesty International)

After entering in that code, the scheme redirects them to a form where they are prompted to reset the password for their account.

The researchers at Amnesty International confirmed this sequence by setting up a dummy Google account of their own. As they explain in their report:

After following this one last step, we were then redirected to an actual Google page. In a completely automated fashion, the attackers managed to use our password to login into our account, obtain from us the two-factor authentication code sent to our phone, and eventually prompt us to change the password to our account. The phishing attack is now successfully completed.

In some instances of the campaign, the fraudsters target a recipient’s Yahoo email accounts in a similar manner. Upon submitting their username and password, the individual receives a prompt to confirm the mobile number associated with the account. They then receive a request to provide the phishing page with an access code. This code comes from Yahoo, as the attackers log in to a target’s account and thereby generate the login verification request from Yahoo in real-time.

A screenshot of the Yahoo 2FA code phishing page. (Source: Amnesty International)

Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), says that this attack highlights the need for better authentication schemes. For the time being, he recommends that the industry moves away from One-Time Passwords (OTPs) and towards a U2F (Universal 2nd Factor) token connected via USB or NFC:

Long-term, web site operators should eventually phase out the use of the OTP schemes and encourage users toward U2F tokens. As an end-user, if you currently have 2FA enabled for accounts, consider upgrading to a U2F token. If not, be very mindful of the fact that your 2FA is not keeping you safe from phishing in any meaningful way. (Of course it still does mitigate risks related to password compromise alone.)

Users can further protect themselves against attack campaigns such as the one outlined above by familiarizing themselves with the most common types of phishing attacks.