Saturday, January 12, 2019

Phishing for 2FA

    Cybersecurity professionals have known for a long time that passwords alone are not secure enough. Two-factor Authentication (2FA) has become an increasingly common way to add another layer of security. But like anything else in the security world, it is not infallible. This week Amnesty International reported that hacker groups are targeting the email accounts of journalists and human rights activists from the Middle East and North Africa.
     One campaign targeted well -known secure email services like ProtonMail, while another campaign focused on Google and Yahoo! accounts where the hackers were able to harvest credentials even from 2FA-enabled accounts.
    Chances are, you have at least one account with 2FA. If you've ever had to enter a code sent to your smartphone, you've used it before. It may seem like a hacker wouldn't be able to get that code, but if they couldn't stay one step ahead, they wouldn't be in business. This report found that the attacks used tried-and true phishing techniques, but with some extra infrastructure in place to automate the process.
    It starts with a security alert email that links to a counterfeit login page. Once the victim enters their credentials, the attackers' server automatically sends those credentials to the legitimate login page. This triggers a request for a 2FA code from the legitimate site that is sent to the victim. The victim enters the code on the fake site, which also passes it to the legitimate site, giving the hackers access to the account. From here the attackers would enable access for third-party apps to keep control of the account. 
   Despite the extra steps happening in the background, the time it takes to do it is negligible and the victim would not notice the process taking any longer. However, the hackers behind these campaigns did make some mistakes. The servers hosting their fake Google and Yahoo! pages were not locked down. Researchers were able to use exposed directories to view various files and determine what the hackers were up to.
   This is not to say that we shouldn't keep using 2FA - it absolutely is better than a password alone. But it's worth keeping in mind that phishing is still prevalent because it works and its success isn't limited to stealing passwords. For folks that feel they are at risk or that just want some extra protection, researchers recommend using hardware tokens.
Sources:
https://motherboard.vice.com/ en_us/article/bje3kw/how-hackersbypass-gmail-two-factorauthentication-2fa-yahoo
https://www.amnesty.org/en/latest/ research/2018/12/when-bestpractice-is-not-good-enough/
https://thestack.com/ security/2018/12/20/hackers-bypass -two-factor-authentication-at-scale/