This past Thursday, researchers revealed that hackers had launched a massive phishing campaign.
The campaign targeted journalists, activists and United States government officials.
Hackers who launched the campaign made notable use of a technique which enabled them to bypass all the two-factor authentication protective features that services such as Yahoo Mail and Gmail offered to users.
Some believe that the latest event underscores all the inherent risks that come with 2-factor authentications which rely on either one-time passwords and/or one-tap logins.
The risk with one-time passwords is even more since hackers have an easier time dealing with SMS messages that different services send to the user’s smartphone devices.
Reports say that these hackers were all engaging in the activity on behalf of the government in Iran.
These hackers collected vast amounts of information on the targets and then moved ahead to use all of that knowledge in order to write, what the community calls, spear-phishing emails.
Hackers from Iran tailored the emails to the given target’s own exclusive level of operational security.
Certfa Lab, a security firm, researchers mentioned a lot of other details about the attack in a recent blog post here.
It turns out, the email messages that the hackers sent to the targets contained a special hidden image.
With the help of this image, hackers could know in real time, via alerts, when the given targets opened and viewed their messages.
Additionally, when the targets got caught into the trap of entering passwords and usernames into a fake Yahoo and/or Gmail security page, the Iranian attackers would, more or less, simultaneously enter their real credentials into the real service login pages.
Of course, some of the targets made use of two-factor authentication.
For such targets, the attackers from Iran actually redirected these targets to new pages which requested them for a one-time password.
Researchers working at the Certfa Lab also wrote that, in simpler terms, the hackers checked their victim’s passwords and usernames in realtime and also on their own operated servers.
Moreover, even if the target had enabled two-factor authentication like one-tap login, authenticator app and/or text message, hackers could still trick targets and take advantage of them to steal all the information to the second authenticating measure as well.
While communicating via email, a representative from Certfa mentioned that the company’s researchers had confirmed that the specific technique which hackers from Iran made use of successfully managed to breach accounts that had enabled two-factor authentication via SMS.
However, researchers at Certfa did not have enough information at the given moment in time to ascertain if the technique that hackers from Iran used also succeeded against targeted accounts that had two-factor authentication protection via one-time passwords transmitted in applications such as the official Google Authenticator app and/or any other compatible app such as that from Duo Security.
The representative from Certfa also wrote that the firm had seen hackers try to pass the two-factor authentication protection via Google Authenticator as well, but they did not have enough evidence to say for sure that hackers from Iran managed to also breach it or not.
However, in the case of two-factor authentication via an SMS message, researchers were pretty sure that hackers had compromised that.
Hackers can phish one-time passwords. But they can’t do the same to Security keys
At least, in theory, experts say there is little reason why hackers could not use the same technique to bypass the official Google Authenticator app along with other two-factor authentication apps as well.
Readers should know that hackers in Iran have shown that they do not have a problem with authenticator apps that transmit either a one-time password app and/or ask the user to perform a click on a button that says approve.
Now here comes the important bit.
Once the given target successfully enters his/her password and username on what the target thinks is the official and authentic Yahoo Mail or Gmail website, the target would probably then open up the two-factor authentication app as the fake redirection page instructs him/her to or the target may receive a push notification from his/her official smartphone app.
Hackers would most likely succeed as long as they find that the target has responded within the official allocated amount of time which is typically around 30 seconds or so.
After the target has gone through the second step, hackers would gain complete access to the account.
In fact, the only productive thing that two-factor authentication has done in the case of Iranian hackers launching phishing attacks is that it has added a second/extra step in the process.
Of course, the notable exception to the above-mentioned attack is that it is simply not possible (again, speaking from a purely theoretical point of view) if a user is making use of an industry-standard hardware security key.
These are keys that connect to the user’s computer machine via the machine’s USB port.
They can also connect via NFC (Near Field Communication) and/or Bluetooth via a phone.
Many Google accounts including Gmail currently have this feature where they can work with those security keys that conform to the industry standard of U2F.
U2F, as many of our readers would know is a standard the industry consortium that goes by the name of Fido Alliance developed some time ago.
In fact, a full two-year study carried out at Google of over 50,000 employees showed that almost every time, hardware security keys beat most other forms and methods of two-factor authentication including smartphones in both ease of use and security.
As alluded to earlier as well, Google also provides users with its Advanced Protection Program.
This program requires hardware security keys from the users to utilize as the only means of accessing Gmail services via two-factor authentication.
Google has a similar program for many other Google accounts as well.
We are aware of the fact that a lot of organizations would simply not want to get prepared to adopt such a technology.
However, our research shows that it is still sensible on part of average online consumers to form a new habit and make use of hardware security keys as often and as much as possible.
With that said, even if someone is making use of hardware security keys, it is probably a good idea to have the app-based two-factor authentication remain available as an emergency fall-back method of account authentication.
Now, readers should understand that the main goal of such a strategy is to actually train online users to start suspecting any given site that they are trying to log into which tells them to make use of their two-factor authentication application instead of the hardware security key which they would normally use.
The Certfa report on the Iranian phishing campaign was effective for many other reasons besides the fact that hackers managed to bypass two-factor authentication.
To take an example, the phishing campaign hosted malware-ridden malicious webpage on services such as sites.google.com and then sent email messages from addresses that read something along the lines of email@example.com and also firstname.lastname@example.org in order to give the user the impression that all the content that they were seeing was actually from accounts officially connected to their email service provider Google.
Not only that, it turns out the phishers actually dedicated a total that went beyond 20 different and separate internet domains to accurately tailor their predefined target’s utilization of the email services on both smartphones and computers.
Apart from that, researchers working at Certfa also mentioned that some of the IP addresses and domains which were used in the phishing campaign actually connected to phishing hackers to a group called Charming Kitten.
Charming Kitten, a hacker group, had been previously linked to the government in Iran.
It turns out, the latest phishing campaign started just a few weeks before the United States re-imposed all of its sanctions on the government in Iran.
That happened in early number.
Readers might find it interesting to note that the phishing campaign actually targeted those individuals who were involved in the latest round of sanctions as well as all the politician involved along with human and civil rights activists.
Not only that, they also targeted journalists from all corners of the globe.
A report from Associated Press said that the targets also included some high-profile enforcers, detractors, and defenders of the nuclear deal that Washington struck with Tehran.
Some of them included
• civil society figures in Iran
• atomic scientists in Arab states
• Think-tank employees in Washington
• US treasury officials numbering in the dozen.