By Staff Writer
A recent Iranian phishing campaign that targeted activists, journalists, and US government officials used a new technique that allowed hackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, according to researchers on Thursday. This underscores the risk of two-factor authentication that relies on one-time passwords sent via text messages to phones.
Iranian Regime hackers collected detailed information on targets that they used to write spear-phishing emails tailored to the targets’ level of operational security, security firm Certfa Lab said. These emails contained a hidden image that alerted hackers in real time when the messages were read, so as soon as the target would enter their passwords into the fake security page, the attackers could enter the information into a real login page. Even if targets were using two-factor authentication, they would be redirected to a new page that requested the one-time password.
The researchers wrote: “In other words, they check victims’ usernames and passwords in realtime on their own servers, and even if 2-factor authentication such as text message, authenticator app or one-tap login is enabled they can trick targets and steal that information too.”
Certfa confirmed that the technique successfully breached accounts protected by SMS-based two-factor authentication, but was unable to confirm whether it could work against two-factor authentication transmitted via apps like Google Authenticator and Duo Security.
A representative wrote: “We’ve seen [it] tried to bypass [two-factor authentication] for Google Authenticator, but we are not sure they’ve managed to do such a thing or not. For sure, we know hackers have bypassed [two-factor authentication] via SMS.”
However, there’s little reason why this wouldn’t work, so long as the target responded quickly enough unless the target used an industry-standard security key that connects via USB, Bluetooth or Near Field Communication.
The Iranian Regime’s phishing campaign hosted malicious pages on sites.google.com and sent emails from addresses such as [email protected] and [email protected] to give an air of legitimacy to their fraud and make targets believe that they were being contacted by Google.
They used over 20 separate Internet domains to tailor towards their targets’ email use. Certfa advised that some of those domains and IP addresses helped link the phishers to already known Iranian hacker group “Charming Kitten”.
This new campaign by Iran started just weeks before the US reimposed sanctions on Iran on November 4, and targeted politicians, civil and human rights activists, journalists, high-profile defenders, detractors, enforcers of the nuclear deal struck between Washington and Tehran, Arab atomic scientists, Iranian civil society figures, Washington think-tank employees, and over a dozen US Treasury officials.