Phishers Bypassing 2FA to Compromise Google and Yahoo Accounts

Phishers are bypassing common forms of two-factor authentication (2FA) in a campaign targeting hundreds of Google and Yahoo accounts.

In a new report, Amnesty International uses several attack emails sent to it by Human Rights Defenders (HRDs) spread across the Middle East and North Africa to analyze the campaign.

A typical attack email in this campaign begins with a fake security alert informing the target of a potential Google account compromise. The email contains a link that claims to sign a user out of all web sessions when clicked. In actuality, it directs them to a phishing page that asks for their password. Entering this information redirects the victim to another page where they are prompted to enter in a 2-step verification code if the service is enabled. The recipient then receives a valid Google verification code via SMS.

After entering in that code, the scheme redirects them to a form where they are prompted to reset the password for their account.

The researchers at Amnesty International confirmed this sequence by setting up a dummy Google account of their own. As they explain in their report:

After following this one last step, we were then redirected to an actual Google page. In a completely automated fashion, the attackers managed to use our password to login into our account, obtain from us the two-factor authentication code sent to our phone, and eventually prompt us to change the password to our account. The phishing attack is now successfully completed.

In some instances of the campaign, the fraudsters target a recipient’s Yahoo email accounts in a similar manner. Upon submitting their username and password, the individual receives a prompt to confirm the mobile number associated with the account. They then (Read more...)