The second report in a week has analysed phishing attacks that are attempting – and probably succeeding – in bypassing older forms of two-factor authentication (2FA).
The latest is from campaign group Amnesty International, which said it had detected two campaigns sending bogus account alerts targeting around 1,000 human rights defenders in and around the Middle East and Africa.
The organisation has its theories about who is behind the attacks but what will matter most to Naked Security readers are the methods being employed to defeat authentication.
Only days ago, researchers at Certfa reported on what they believed were targeted attacks against influential people with US connections which were able to beat 2FA.
Those targeted Gmail and Yahoo accounts secured using either SMS-based 2FA (where a one-time code is sent to a user’s mobile device), or generated by an authenticator app, also using an OTP-based protocol.
Likewise, the attacks detected by Amnesty also targeted Google and Yahoo’s 2FA, although this probably reflects their popularity rather than any specific weakness in implementation.
As with Certfa, Amnesty’s evidence comes from analysis of a server used by the attackers to store credentials from stolen accounts.
This appears to include references to phished OTP 2FA codes but with an interesting twist – once they’d gained access to the account, the attackers also set up a third-party app password to maintain persistence.
This would mean that even if a phished individual realised they’d been hacked and regained access to their account, the attackers would have created a sneaky backdoor that wouldn’t be immediately obvious to many users.
Says the report:
App passwords are perfect for an attacker to maintain persistent access to the victim’s account, as they will not be further required to perform any additional two-factor authentication when accessing it.
In a second technique, the attackers appeared to have connected hacked accounts to migration services such as Shuttlecloud as a way of quietly monitoring activity in a clone account.
ProtonMail and Tutanota
Interestingly, the campaigns also targeted more specialised email services such as ProtonMail and Tutanota which are marketed as offering a higher level of security and privacy by default.
For example, even without authentication turned on, ProtonMail users must enter not only a username and password but an encryption code to decrypt the contents of their inbox. All messages sent between users of the service are end-to-end encrypted and users can see logs of all account accesses.
And, of course, users can turn on OTP-based 2FA which, given that ProtonMail is intended to raise the bar for attackers, one would imagine the majority of users would do.
But encryption keys and OTP codes are no different from usernames and passwords – in principle they can be phished if the attackers are able to jump through a few extra hoops.
According to Amnesty, in the case of Tutanota the phishing campaign was able to use a similar-looking domain, tutanota.org (the correct domain being tutanota.com).
To boost verisimilitude, the attacks added baubles such as an HTTPS connection/padlock, and a carefully-cloned replica of the real site.
Did the attacks succeed?
The evidence isn’t conclusive, but it appears that Yahoo and perhaps Gmail SMS 2FA was successfully targeted on some occasions. No evidence is presented regarding any compromise of ProtonMail or Tutanota accounts.
The question is where this leaves 2FA authentication that’s based on sending or generating codes.
It’s worth stressing that while man-in-the middle attacks on this form of authentication have been possible for years, it is not as easy as phishing a username and password.
To succeed, the attacker must grab the code within the 30-second window before it is replaced by a new code, which under real-world conditions must probably be done in less than half that time. This might explain why SIM swap fraud (where attackers receive SMS codes direct) has become another popular technique.
To be convincing, they might also have to know the target’s phone number because SMS authentication pages often list the last two digits as an authenticity check.
The message here is that while code-based 2FA is better than a plain old password, phishing attackers are now going after it with gusto. Rather than fall back on assumptions and probabilities, anyone who feels they might be a high-value target should consider moving to something more secure.
At some point we’ll all have to do the same. For the tech industry – and its users – the warning lights are flashing red.