Hacker spoofing bypasses 2FA security in Gmail, targets secure email services

Updated: Google, Yahoo, and ProtonMail accounts are being targeted in a new wave of phishing attacks.

A new wave of attacks is targeting Google and Yahoo accounts in order to bypass two-factor authentication as well as compromise users of secure email services, researchers have warned.

On Wednesday, a new report published by non-profit Amnesty International gave us a glimpse into the inner workings of recent phishing campaigns which are using a variety of techniques to infiltrate user accounts across the Middle East and North Africa.

Within the report, the researchers say that several campaigns are underway, likely conducted by the same threat group in order to target Human Rights Defenders (HRDs).

The first campaign involves hundreds of Google and Yahoo accounts being targeted, resulting in the "successful bypass of common forms of two-factor authentication (2FA)."

Throughout 2017 and 2018, Amnesty International was given copies of suspicious emails sent to HRDs and journalists in the Middle East and North Africa. Upon investigation, it seemed that many of the victims of a phishing campaign originated from United Arab Emirates, Yemen, Egypt, and Palestine.

In this scenario, the attackers sent crafted "security alert" messages with the overall aim of luring victims to malicious domains masquerading as legitimate websites belonging to Google and Yahoo. These were often rotated to avoid shutdowns by registrars.

However, what makes this campaign different is its attempts to combat 2FA, an additional layer of security implemented to protect online accounts through access codes often sent to linked mobile devices.

The phishing site was designed to obtain account credentials as well as the 2FA code required to access the account. Once the researchers logged into one of the fraudulent domains using a throwaway Gmail address, they were alerted that a 2FA code had been sent -- triggered by the automated scheme.

The phone number used to create the account did receive an SMS message. The phishing page requested the code, and once input, presented the team with a form asking them to change their password before redirecting them to a legitimate Google login page.

"In a completely automated fashion, the attackers managed to use our password to login into our account, obtain from us the two-factor authentication code sent to our phone, and eventually prompt us to change the password to our account," the nonprofit says.

As the entire system is automated, the verification code can be used to compromise an account before 2FA tokens expire.

The attack in question worked in exactly the same way when applied to Yahoo accounts.

"The threat landscape is continually evolving, and we are committed to evolve with it to help keep our users secure," a Yahoo spokesperson said. "In 2015, we launched Yahoo Account Key, which does not utilize SMS, and encourage users to adopt this form of authentication."

The second campaign has taken a different route and is specifically going after email services which market themselves as secure, such as Tutanota and ProtonMail.

CNET: Russian influencers thrived on Instagram after pressure on Facebook, Twitter

The cybercriminals have exploited rare opportunities which, when seized, can result in phishing campaigns becoming far more effective -- the registration of domains which look remarkably similar to legitimate services.

In this case, the hackers were able to register the domain tutanota.org -- whereas the legitimate service is hosted on tutanota.com -- and create a replica of the real email service.

As users would expect online services to own these primary domains, they may be more susceptible to phishing messages asking them to visit such links and input their credentials, which can then be harvested.

"These fake sites also use transport encryption," the organization notes. "This enables the well-recognized padlock on the left side of the browser's address bar, which users have over the years been often taught to look for when attempting to discern between legitimate and malicious sites."

TechRepublic: 5 biggest security vulnerabilities of 2018

Users would not see anything amiss as once their credentials were entered, a login process on the true domain would be initiated.

The website's seeming legitimacy led to Amnesty International informing Tutanota, which requested a takedown of the phishing website.

ProtonMail was also a target via the phishing domain protonemail.ch, which added an additional "e" which could be easily missed by would-be victims. This domain has since been closed.

See also: Remove yourself from the internet and erase your online presence

Amnesty International says that the threat actors responsible most likely come from the Gulf countries, and have potentially targeted thousands of HRDs, journalists, political actors and other individuals of interest through the phishing schemes.

"Taken together, these campaigns are a reminder that phishing is a pressing threat and that more awareness and clarity over appropriate countermeasures needs to be available to human rights defenders," the non-profit said.

Update 20.15 GMT

"ProtonMail is known for its use of sound technology and cryptography to protect its users' data and privacy," the firm told ZDNet. "Thus we condemn any appropriation of our name and reputation to trick users through a malicious phishing attack. We were not aware of the existence of the protonemail.ch site and, to date, we have not received any reports from anyone that was impacted by this phishing scam. We have been in touch with the appropriate authorities and the phishing site in question has now been taken down."

A Google spokesperson told ZDNet:

"While any form of two-factor authentication is better than none, we recommend security keys for the strongest protection against phishing. In addition, Google offers the Account Protection Program, designed to provide even stronger protection for those at risk of targeted attacks – like journalists, activists, business leaders, and political campaign teams."

Previous and related coverage