Protecting an account with multi-factor authentication (MFA) is a no-brainer, but that doesn’t mean every method for doing this is equally secure.
Take SMS authentication, for example, which in recent times has been undermined by various man-in-the-middle and man-in-the-browser attacks as well as SIM swap frauds carried out by tricking mobile providers.
This week, researchers at Certfa Lab said they’d detected a recent campaign by the Iranian ‘Charming Kitten’ group (previously blamed for the 2017 HBO hack) that offers the latest warning that SMS authentication is not the defence it once was.
The targets in this campaign were high-value individuals such as US Government officials, nuclear scientists, journalists, human rights campaigners, and think tank employees.
Certfa’s evidence comes from servers used by the attackers which contained a list of 77 Gmail and Yahoo email addresses, some of which were apparently successfully compromised despite having SMS verification turned on.
We don’t normally get a chance to peer inside attacks that are as targeted as this one, let alone ones prodding 2FA for weaknesses.
The campaign was built around the old idea of sending a fake alert from a plausible-looking address such as
Google sends out alerts from time-to-time, so a few people might be tricked by this but there were other tweaks to boost its chances even further, such as:
- Hosting phishing pages and files on sites.google.com, a Google sub-domain.
- Sending the email alert as a clickable image hosted on Firefox Screenshot rather than URL text which might trip Google’s anti-phishing system.
- Tracking who has opened emails by embedding a tiny 1×1 “beacon” pixel that is hosted and monitored from an external website (marketers have used this technique for years, which is why it’s a good idea to turn automatic image loading off in programs like Gmail).
But how to beat authentication?
It’s possible the attackers were able to check phished passwords and usernames on-the-fly to see whether authentication was turned on. If it was – and presumably that would have been the case for most targets – a page mimicking the 2FA sign-in was thrown up.
This sounds simple, but the devil is in the detail. For example, it seems the attackers were also able to find out the last two digits of the target’s phone number, which was needed to generate a facsimile of the Google or Yahoo SMS verification pages.
While SMS OTP authentication was the primary target, Time-based One-time Password (TOTP) codes from an authentication app were also targeted.
According to Twitter comments by Certfa, the attacks against SMS authentication were successful, which is not a surprise given that all the attacker has to do is phish the code.
As for TOTP and HMAC-based One-time Password algorithm (HOTP)-based authenticator apps (i.e. Google Authenticator), the researchers are less sure – as with SMS, it would depend on how quickly the attackers could capture and enter the code within the allowed time window.
Where does this leave 2FA?
Using 2FA in any form is better than nothing but SMS is no longer the best option if users have a choice – Google, for one, no longer offers this option unless it was set up on an account a while ago.
Naked Security has published numerous articles on the vulnerability of older 2FA technologies such as SMS as well as the pros and cons of app-based authentication (Google Authenticator). In 2016, the US National Institute of Standards and Technology (NIST) recommended that users plan to move from SMS to more secure methods of authentication.
The most secure option by far is to use a FIDO U2F (or the more recent FIDO2) hardware token such as the YubiKey because bypassing it requires physical access to the key.
Google even offers a specially-hardened version of Gmail, the Advanced Protection Program (APP), built around this kind of security with some additional features added on top.
Password managers are another option because these will only auto-fill password fields when they detect the correct domain (see caveats regarding mobile versions). If that doesn’t happen as expected this could be a sign that something is wrong.
16 comments on “Sneaky phishing campaign beats two-factor authentication”
Google’s 2FA using YubiKey seems to be working only on Chrome browser. When signing in from Firefox or Edge, I had no choice but to use an authenticator app.
Somehow I doubt that Google lacks the technical know-how to make it work on all major browsers.
Or they just don’t want you to be using any browser other then their own.
Perhaps it’s the implementation of YubiKey within firefox or edge. As stated on support.yubico.com the browsers Google Chrome and Opera natively supports U2F. In Firefox the implementation varies and support has to be turned on. There is also a workaround mentioned: If you use a browser that doesn’t support U2F, you can use Yubico Authenticator as an alternative to U2F, described above.
Isn’t that what said?!
You probably have a U2F YubiKey rather than a FIDO2 YubiKey. U2F, a precursor to FIDO2/WebAuthn, is off by default in Firefox, but it’s easy to switch on: https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/
U2F is the 2FA functionality of FIDO/FIDO2. FIDO2 is a combination of WebAuthn and FIDO components. Or did I get something wrong?
Not quite, but I think my earlier statement is probably wrong, so let’s clear it all up 🙂
FIDO2 is WebAuthn and CTAP. CTAP has two parts, CTAP2, required for WebAuthn, and CTAP1, the new name for U2F.
CTAP1 makes FIDO2 backwards compatible with U2F, so a U2F YubiKey ought to work with a FIDO2 application where the key is used as a second factor, in combination with a username and password. You can’t use a U2F key as a single factor, in place of a password.
So it’s the opposite of what I said earlier: you’d only need to turn on U2F support in Firefox if you have a U2F key and you’re using it as a second factor on a website speaking U2F instead of WebAuthn.
Probably because the YubiKey you’re using is U2F-compliant (the part of the FIDO1 spec developed by Google and Yubico) which is only supported by Chrome and Opera. You can enable U2F support on Firefox via an about:config change but even that doesn’t always work – Mozilla and Microsoft are putting all their effort into supporting FIDO2, which is to say WebAuthn.
I think calling 2FA “Better than nothing” is a gross mischaracterization. By your own description this was a highly targeted attack that only state-sponsored actors are capable of pulling off. 2FA on mobile devices remains a strong defense for the vast majority of users.
I disagree – 2FA based on OTP is conceptually easy to bypass by an attacker that is determined to do that.
The reason we don’t hear more about this happening is most likely because so few users have any 2FA turned on, bypassing it is rarely necessary.
2FA is only one layer of security – and it’s a good one. Much more questionable are insecure passwords. But worst of all are careless, credulous, uninformed users.
“Password managers are another option because these will only auto-fill password fields when they detect the correct domain (see caveats regarding mobile versions). If that doesn’t happen as expected this could be a sign that something is wrong.”
Except malicious or compromised websites can host scripts that reference those legit domains in the background, tricking some/many/all? password managers to autofill your credentials behind the scenes and provide the baddies with exactly what they want.
I disabled autofill and instead manually click the extension’s buttons to insert my credentials as needed.
“This sounds simple, but the devil is in the detail. For example, it seems the attackers were also able to find out the last two digits of the target’s phone number, which was needed to generate a facsimile of the Google or Yahoo SMS verification pages.” Unsure if it’s still the case, but finding out the last digits of a phone number for a Google account is pretty easy. You just have to say “Forgot my password” and it’ll bring you to a page to verify your backup contact, which is usually the last two digits of your cell so they can text you something.
SMS is clearly the weakest form of 2nd factor that can be selected. It is popular because it is also the simplest to implement, but now even NIST has taken it off the approved authentication methods list. Hardware tokens, Fido and installed applications are better, but SMS is still better than having no 2FA at all, and I am assuming people are currently using SMS due to financial reasons.
As the article says, the attack was designed to work against both SMS and app-based codes (if you can persuade the user to send you their current code for you to type in elsewhere then you can bypass both types). The difference in effectiveness depends on how rapidly the server discards old tokens. App-based tokens change every 30 seconds (plus as much leeway for “time drift” as the server will allow). SMS tokens are valid for a period set by the server, too. It is hard to know exactly how much time a crook might have to intercept and use your token without trying some carefully structured experiments.
(I occasionally put in the wrong token on purpose to the various 2FA protected accounts I have just to ensure it gets rejected… but I have never tried to measure how long a real token might last.)