Iranian hackers overcome with phishing the double factor verification by SMS of Gmail and Yahoo: time to look for alternatives
One of the most common tips when it comes to Internet security when we talk about authentication on websites and services is the use of two-step verification, which usually uses the smartphone with verifying element, with SMS as the main means to receive a second unique key that gives access to the service.
However, as has already been demonstrated on some other occasion, "classic" security measures are becoming less infallible, and in this case the same thing happens. A group of researchers from Certfa Lab has published a study that explains how Iranian hackers, allegedly in charge of the eastern country's executive, have attacked US officials, journalists and activists.
In the attack has had much prominence, as almost always, email. But the enabling part of hacking, according to researchers, is double-factor authentication, which in some cases can be very safe, but in others it does not offer the level of yesteryear.
The Iranian hacker group did nothing too new. First they investigated the email of the objectives. When they had it, they sent messages from seemingly reliable addresses such as "noreply.customermails@gmail.com" that contained images that made tracking trackers open. That way, they could monitor the opening of links.
That was another key to the process. The emails also contained links to fake Gmail or Yahoo websites, which, as is common in these phishing cases, seem real to anyone who does not stop to verify their authenticity. By entering their user credentials and password in the fields of these malicious websites, the attackers could already access the official Gmail or Yahoo websites with the access data.
Although it is safer than not having anything, the SMS is no longer a good way to verify that we are us
However, when counting many users with verification in two steps with SMS, the hackers devised a second step that also made them enter the unique code that usually arrives by SMS. Upon receiving it and being able to enter it on the real web in a short period of time, the accounts were totally compromised.
The research also provides the fact that services such as Google Authenticator can also easily fall in front of the well-organized action of a group such as these hackers. Where they do see in Ars Technica the most difficult to attack is to accounts that use USB security keys or connected by Bluetooth or NFC to a terminal with the U2F standard.
However, as has already been demonstrated on some other occasion, "classic" security measures are becoming less infallible, and in this case the same thing happens. A group of researchers from Certfa Lab has published a study that explains how Iranian hackers, allegedly in charge of the eastern country's executive, have attacked US officials, journalists and activists.
In the attack has had much prominence, as almost always, email. But the enabling part of hacking, according to researchers, is double-factor authentication, which in some cases can be very safe, but in others it does not offer the level of yesteryear.
The Iranian hacker group did nothing too new. First they investigated the email of the objectives. When they had it, they sent messages from seemingly reliable addresses such as "noreply.customermails@gmail.com" that contained images that made tracking trackers open. That way, they could monitor the opening of links.
That was another key to the process. The emails also contained links to fake Gmail or Yahoo websites, which, as is common in these phishing cases, seem real to anyone who does not stop to verify their authenticity. By entering their user credentials and password in the fields of these malicious websites, the attackers could already access the official Gmail or Yahoo websites with the access data.
Although it is safer than not having anything, the SMS is no longer a good way to verify that we are us
However, when counting many users with verification in two steps with SMS, the hackers devised a second step that also made them enter the unique code that usually arrives by SMS. Upon receiving it and being able to enter it on the real web in a short period of time, the accounts were totally compromised.
The research also provides the fact that services such as Google Authenticator can also easily fall in front of the well-organized action of a group such as these hackers. Where they do see in Ars Technica the most difficult to attack is to accounts that use USB security keys or connected by Bluetooth or NFC to a terminal with the U2F standard.
Comments
Post a Comment