Hackers beat 2
Securing your online accounts with two-factor authentication can be an effective way to ward off hackers. But the system isn't perfect. One mysterious group has been defeating the protection method in attempts to phish upwards of 1,000 people, according to the human rights group Amnesty International.
The group today published a report documenting the phishing attacks, which have been targeting journalists and activists based in the Middle East and North Africa through the use of phony emails and login pages.
The goal behind the attacks has been to trick victims into handing over access to their Google and Yahoo accounts, even when two-factor authentication is in place. "What makes these campaigns especially troubling is the lengths to which they go to subvert the digital security strategies of their targets," Amnesty International said in its report.
For the uninitiated, two factor-authentication is a safeguard designed to protect your online account in the event your password is stolen. It works like this: when you try to access the account, you not only have to enter your login credentials, but also a special one-time passcode that's been generated over your phone.
Unfortunately, the special passcodes generated by two-factor authentication systems are usually just a string of a random numbers, which can make them easy to phish; all the hacker has to do is to trick you into giving up the special codes.
Amnesty International said the group of hackers they've been tracking pulls this off by sending out fake but convincing security alerts that look like they came from Google or Yahoo. The alerts will claim the victim's account may have been breached and provide a link to an official-looking login page to initiate a password reset.
"To most users a prompt from Google to change passwords would seem a legitimate reason to be contacted by the company, which in fact it is," Amnesty International said. But in reality, the login pages are fake.
The hackers created the phony process to both phish the victim's password and the special two-factor authentication code. Amnesty International has been investigating the scheme based on suspicious emails the group has been receiving from human rights activists and journalists. To test out the attacks, the group created a disposable Google account and then clicked through one of the phishing emails.
"Sure enough, our configured phone number did receive an SMS message containing a valid Google verification code," Amnesty said in its report.
The group also investigated how the hackers were creating their phishing schemes and noticed that the mysterious group accidentally made public an online directory they were using to host their attacks. The information revealed the hackers were using web application testing tools to automate the phishing process.
"Essentially, they built an 'auto-pilot' system that would launch Chrome and use it [to] automatically submit the login details phished from the user to the targeted service, including two-step verification codes sent for example via SMS," said Claudio Guarnieri, a technologist at Amnesty, in a tweet.
The hackers' automated process is important because it lets them input the special one-time passcode into the real Google or Yahoo login page, before the time limit on the passcode runs out.
Typically those concerned about getting 2FA codes via SMS can also do so via an authenticator app, which serves up codes that change every few seconds. Amnesty did not immediately respond to PCMag's request for comment about whether this affects such apps, but a technologist there told Motherboard that "the same approach could potentially be used to phish codes from a 2FA app such as Google Authenticator."
The human rights group still recommends people adopt two-factor authentication, but to be aware that the system does have limitations. So don't be fooled into thinking you're completely safe. For example, government-sponsored hackers have the resources to create elaborate phishing schemes to crack the safeguard. They can also attempt to infect your PC with malware.
"Individuals at risk, human rights defenders above all, are very often targets of phishing attacks and it is important that they are equipped with the right knowledge," Amnesty said.
If you have extra money to spend, you can also invest in a security key to protect your online accounts. They work by substituting the two-factor authentication process with a hardware-based device, which needs to be inserted into your PC to log into the protected account. The big plus of a security key is that it's pretty hard for a hacker to steal; to do so, the attacker has to personally come and physically take it from you.
You can learn more about how they work here. Unfortunately, one key can cost between $25 to $50. Not every online service supports them either. But you can use them to protect your accounts on Google, Facebook, Dropbox, and Twitter.
Featured Video For You
Vitaminwater is offering $100,000 to keep off your smartphone for a year
(责任编辑:资讯)
-
Alcaraz, Sinner survive US Open wobbles
NEW YORK:Jannik Sinner and Carlos Alcaraz survived US Open first round wobbles on Tuesday to stay on ...[详细] -
Moon, Kim attend North Korea's mass gymnastics performance
North Korean leader Kim Jong-un addresses to audience at the May Day Stadium after watching a gymnas ...[详细] -
KARACHI:The sixth edition of the Habib Bank Limited (HBL) Pakistan Super League (PSL) enters a one-d ...[详细]
-
2017中国四川)国际茶业博览会雅安展区吸引观众。每年5月开始,茶界就开启了茶博会模式,平均每个月至少2场以上的茶博会在全国各地举行。今年,是四川茶博会举行的第六年。作为我市每年组团参展的第一个展会, ...[详细]
-
With more ballot initiatives ready to go before voters, supporters of reproductive rights are hoping ...[详细]
-
Clijsters accepts wildcard into WTA Miami Open
MIAMI:Former world number one Kim Clijsters, twice retired and now the mother of three, has accepted ...[详细] -
平均亩产1356.6公斤,化州市一玉米绿色高质高效示范片通过验收
平均亩产1356.6公斤,化州市一玉米绿色高质高效示范片通过验收_南方+_南方plus4月17日,化州市中垌镇德成家庭农场玉米绿色高质高效示范片顺利通过验收。此次验收由茂名市农业农村局组织验收专家进行 ...[详细] -
Watch Simone Biles make history (again) with never
We don't know what a double-double dismount from the beam is, but Simone Biles just pulled it off, s ...[详细] -
NYT Strands hints, answers for August 29
If you're reading this, you're looking for a little help playing Strands, the New York Times' elevat ...[详细] -
5月15日,记者从省旅发委官网获悉,经四川旅游标准评定委员会审定,拟认定30家单位为四川省五星级农家乐/乡村酒店、938家农家乐/乡村酒店为四川省星级农家乐/乡村酒店,我市共79家农家乐/乡村酒店榜上 ...[详细]