Photo by Paolo D'Andrea on Unsplash [Download]

Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail

A recent phishing campaign targeting US government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, researchers said Thursday.

The event underscores the risks of 2fa that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones.

When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password.

In an email, a Certfa representative said company researchers confirmed that the technique successfully breached accounts protected by SMS-based 2fa. The researchers were unable to confirm the technique succeeded against accounts protected by 2fa that transmitted one-time passwords in apps such as Google Authenticator or a compatible app from Duo Security.

Once a target enters a password on what she believes is the authentic Gmail or Yahoo Mail site, she will either open the 2fa app as instructed in the fake redirection or get a push notification from the phone app.

The notable exception is that this attack is impossible, at least in theory, against 2fa that uses an industry-standard security key.

Gmail and other types of Google accounts currently have the ability to work with keys that conform to U2F, a standard developed by an industry consortium known as the Fido Alliance.According to the Associated Press, targets included high-profile defenders, detractors, and enforcers of the nuclear deal struck between Washington and Tehran, Arab atomic scientists, Iranian civil society figures, Washington think-tank employees, and more than a dozen US Treasury officials.

Original article