Sneaky phishing campaign beats two-factor authentication

Protecting an account with multi-factor authentication (MFA) is a no-brainer, but that doesn’t mean every method for doing this is equally secure.

Take SMS authentication, for example, which in recent times has been undermined by various man-in-the-middle and man-in-the-browser attacks as well as SIM swap frauds carried out by tricking mobile providers.

This week, researchers at Certfa Lab said they’d detected a recent campaign by the Iranian ‘Charming Kitten’ group (previously blamed for the 2017 HBO hack) that offers the latest warning that SMS authentication is not the defence it once was.

The targets in this campaign were high-value individuals such as US Government officials, nuclear scientists, journalists, human rights campaigners, and think tank employees.

Certfa’s evidence comes from servers used by the attackers which contained a list of 77 Gmail and Yahoo email addresses, some of which were apparently successfully compromised despite having SMS verification turned on.

We don’t normally get a chance to peer inside attacks that are as targeted as this one, let alone ones prodding 2FA for weaknesses.

The campaign was built around the old idea of sending a fake alert from a plausible-looking address such as

Google sends out alerts from time-to-time, so a few people might be tricked by this but there were other tweaks to boost its chances even further, such as:

  • Hosting phishing pages and files on, a Google sub-domain.
  • Sending the email alert as a clickable image hosted on Firefox Screenshot rather than URL text which might trip Google’s anti-phishing system.
  • Tracking who has opened emails by embedding a tiny 1×1 “beacon” pixel that is hosted and monitored from an external website (marketers have used this technique for years, which is why it’s a good idea to turn automatic image loading off in programs like Gmail).

SMS bypass

But how to beat authentication?

It’s possible the attackers were able to check phished passwords and usernames on-the-fly to see whether authentication was turned on. If it was – and presumably that would have been the case for most targets – a page mimicking the 2FA sign-in was thrown up.

This sounds simple, but the devil is in the detail. For example, it seems the attackers were also able to find out the last two digits of the target’s phone number, which was needed to generate a facsimile of the Google or Yahoo SMS verification pages.

While SMS OTP authentication was the primary target, Time-based One-time Password (TOTP) codes from an authentication app were also targeted.

According to Twitter comments by Certfa, the attacks against SMS authentication were successful, which is not a surprise given that all the attacker has to do is phish the code.

As for TOTP and HMAC-based One-time Password algorithm (HOTP)-based authenticator apps (i.e. Google Authenticator), the researchers are less sure – as with SMS, it would depend on how quickly the attackers could capture and enter the code within the allowed time window.

Where does this leave 2FA?

Using 2FA in any form is better than nothing but SMS is no longer the best option if users have a choice – Google, for one, no longer offers this option unless it was set up on an account a while ago.

Naked Security has published numerous articles on the vulnerability of older 2FA technologies such as SMS as well as the pros and cons of app-based authentication (Google Authenticator). In 2016, the US National Institute of Standards and Technology (NIST) recommended that users plan to move from SMS to more secure methods of authentication.

The most secure option by far is to use a FIDO U2F (or the more recent FIDO2) hardware token such as the YubiKey because bypassing it requires physical access to the key.

Google even offers a specially-hardened version of Gmail, the Advanced Protection Program (APP), built around this kind of security with some additional features added on top.

Password managers are another option because these will only auto-fill password fields when they detect the correct domain (see caveats regarding mobile versions). If that doesn’t happen as expected this could be a sign that something is wrong.