Hackers bypass two-factor authentication “at scale”
Thu 20 Dec 2018
Hackers break into Gmail and Yahoo accounts of journalists and activists “at scale”, even those with two-factor authentication (2FA) enabled
Multiple credentials phishing campaigns targeting human rights activists and journalists across the Middle East and North Africa have been disclosed by Amnesty International.
Credentials phishing deploys imitations of websites, wherein a login prompt lures a victim into entering their personal details, which are then transmitted to the attacking party.
In this case, logging in to the phishing page generated an alert to complete a two-factor authentication. The user, on this request, responded via mobile to complete the login process.
Likely operated by a circle of attackers, one campaign threatened the security of hundreds of accounts on popular “secure email” services such as Tutanota and ProtonMail. In another campaign, the attackers breached potentially hundreds of Google and Yahoo accounts, bypassing trusted and common forms of 2FA.
“To most users, a prompt from Google to change passwords would seem a legitimate reason to be contacted by the company, which in fact it is,” Amnesty International said.
The attacks are inherently hard to spot, and Amnesty says there were very few signs of malicious intent. The special passcode that is generated during 2FA can be easy to imitate, as it is usually a simple string of random numbers.
Despite the attacks, it would not be wise to disable 2FA. But this doesn’t mean that the system is perfect either – and the attack raises serious questions about ostensibly “secure” platforms used by consumers to protect their data.
There is a growing concern that users are being misled into trusting internet services that promise security – at a time when global trust in the internet is low and phishing has emerged as one of the most common and insidious forms of cyberattack to both consumers and enterprise.
Such attacks also tend to be concentrated on human rights activists and journalists. The Centre for Long Term Cybersecurity argues that it is politically vulnerable organisations who often face significant cybersecurity threats – regularly at the hands of powerful governments.
In these campaigns, it appears political activists fell prey to state-sponsored phishing.
“Individuals at risk, human rights defenders above all, are very often targets of phishing attacks and it is important that they are equipped with the right knowledge,” Amnesty said.