Two-factor authentication doesn’t stop hackers from phishing Gmail and Yahoo info


A new Amnesty International report has been released that gives insight on how some hackers break into Gmail and Yahoo accounts, even those accounts with two-factor authentication (2FA) enabled.

2FA is an added layer of authentication added on to some accounts in an effort to make them more secure. With a token-based 2FA, you may be required to have an app that generates a code that you have to enter when logging in from an unknown device. More commonly, a service will send you a text message containing a short code that you need to type into your browser in order to access your account.

This kind of 2FA is great for protecting against password reuse. If a hacker obtains one of your passwords from a data breach, then tries to use that password on your other accounts, if you have 2FA enabled, the hacker is probably not going to be able to get into your account without taking some additional steps. Most lower level hackers are likely to give up trying to access your account at that point.

Unfortunately, token-based 2FA is not a failsafe.

Amnesty International estimates that hackers have targeted more than a thousand Google and Yahoo accounts across the Middle East and North Africa throughout 2017 and 2018. These attacks likely originated from among the Gulf countries.

That of course does not make residents of the United States or Canada secure from this type of attack.

What’s worse is that hackers have made these attacks automated, which means that they can target countless victims in a very short time frame.

It works by presenting itself when the user tries to access their account, by having the user encounter a counterfeit, yet look-alike, account login page. The page asks for the victim’s password while at the same time triggering a 2FA code to be sent to the target’s phone. That code is then also phished and is then entered into the legitimate site so that the hacker can log in and steal information and/or the account itself.

The hackers’ system then automatically creates an App Password, a separate password that lets third party applications have access to the email account so that the hacker can maintain a hold on the user’s account for as long as possible.

Some phishing pages also asked the victim to verify their phone number.

In another case, Amnesty found the hackers’ infrastructure automatically took a Yahoo account and then transferred it over to Gmail, using a legitimate migration service called ShuttleCloud. This allowed for the attackers to automatically and immediately generate a complete clone of the victim’s Yahoo account under a separate Gmail account that was completely under their control.

In an online chat with Motherboard, Claudio Guarnieri, a technologist at Amnesty stated that, “Virtually in that way they can bypass any token-based 2FA if no additional mitigations are implemented.”

So while 2FA is still a fantastic idea and may be good for keeping some accounts secure, certain forms of 2FA can still be phished by hackers. Those that send a code or token over a text message are one of those forms.

There are alternatives to using these forms of phishable 2FA, such as a hardware security token instead. A hardware security token, such as a Yubikey, is a small device that typically plugs into your computer via USB. Your identity is then authenticated through that hardware device.

These hardware security tokens tend to cost less than $25 and add an invaluable level of security to your online accounts.

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648