Top Nav

A Phisher Hacked Gmail’s Two-Factor Authentication – Here’s How He Did It

Here at groovyPost, we are constantly pushing 2-step authentication as a way to secure your online accounts. I’ve been using 2-factor Gmail authentication for quite some time and I must say, it makes me feel very safe. For those who don’t use it, 2-step authentication means you have to use your password to log in and one other unique code (usually sent via text, phone call, or an app like Google Authenticator). True, it’s a bit of a pain, but it feels worth it to me. I’ve actually seen instances where it’s stymied a hacking attempt (that is, I got 2-factor texts on my phone when I wasn’t trying to log in, which means someone correctly entered my password).

So, the other week, it shocked me when I heard on the Reply All podcast that a hacker had successfully phished someone using 2-step Gmail verification. This was in the episode entitled What Kind of Idiot Gets Phished? It’s a great episode, so I won’t spoil it for you by telling who the “idiot” was, but I will tell you some of the tricks they used.

1. Look alike domain names

The hacker had permission from the show’s producers to try to hack the staff. But they didn’t have any insider access to their servers. But the first step to pwning their targets was spoofing a coworker’s email address. See, the person whose email they spoofed was:

phia@gimletmedia.com

The email address that the phisher used was this:

phia@gimletrnedia.com

Can you tell the difference? Depending on the font, you may not have noticed that the word “media” in the domain name is actually spelled r-n-e-d-i-a. The r and n smushed together look like an m. The domain was legitimate, so it wouldn’t have gotten picked up by a spam filter.

2. Convincing Attachments and Body Text

The trickiest part of the phishing email was that it sounded extremely legit. Most of the time, you can spot a shady email from a mile away by its weird characters and broken English. But this phisher pretended to be a producer sending a piece of audio to a team for editing and approval. Coupled with the convincing domain name, it seemed very believable.

3. Fake 2-Step Gmail Login Page

This was the tricky one. So, one of the attachments sent was a PDF in Google Docs. Or so it seemed. When the victim clicked the attachment, it prompted them to log into Google Docs, as you sometimes have to do even when you’re logged into Gmail already (or so it seems).

And here’s the clever part.

The phisher created a fake login page that sent a real 2-factor authentication request to Google’s real server, even though the login page was completely fake. So, the victim got a text message just like normal, and then when prompted, put it into the fake login page. The phisher then used that info to gain access to their Gmail account.

Phished.

So, does this mean 2-factor authentication is broken?

I’m not saying that 2-step authentication doesn’t do its job. I still feel safer and more secure with 2-factor enabled, and I’m going to keep it that way. But hearing this episode made me realize that I’m still vulnerable. So, consider this a cautionary tale. Don’t get overconfident, and layer on the security measures to protect yourself from the unimaginable.

Oh, by the way, the genius hacker from the story is: @DanielBoteanu

Do you use 2-step authentication? What other security measures do you use?

More Reading:

, ,

16 Responses to A Phisher Hacked Gmail’s Two-Factor Authentication – Here’s How He Did It

  1. Vic June 20, 2017 at 12:42 pm #

    I do use two-party authentication but I only access websites by typing the name in, not clicking on links.

  2. Lotus June 20, 2017 at 5:57 pm #

    What then are the additional measures to be taken?How do we secure surfing the web with Google?Both issues need to be dealt with.Google is still offering a better search result compared to DuckDuckGo.

    I will be grateful if anyone lets me know the best settings and add-ons( with their optimum settings)for Firefox.I also use Epic Browser( uses Bing and so search results remain limited vis a vis Google).Thanks,

    • Jack Busch June 23, 2017 at 6:52 pm #

      You can spot a phishing site by checking to see if it is https. In Chrome and other modern browsers, the url bar will be green. Note that phishers sometimes use https, so click the lock icon to verify that the publisher is who you expect it is. More info:

      http://blog.trendmicro.com/trendlabs-security-intelligence/phishing-safety-is-https-enough/

      As depressing as it is though, you’ll never be 100% safe just like you’ll never be 100% risk free driving on the highway. But staying vigilant and diligent about best practices can help

  3. Phil June 25, 2017 at 8:55 pm #

    A text message was received? – if Google authenticator or even better Authy is used then the code changes every 30 seconds, which would make it almost impossible – Especially if entering the code just before it changes

    • M. Mënon June 28, 2017 at 4:39 pm #

      LOL! That’s exactly what I am thinking. The above article assumes that the hacker is sitting around 24/7 waiting for you to access your email sometime in the future and click on that link. Furthermore, the article fails to mention that the many browsers alert you if the page you are entering information into is not secure. These kinds of articles do more harm than good – because they give lazy internet users one more reason to not mess with 2FA.

      • Jack Busch June 28, 2017 at 6:03 pm #

        Regarding waiting around 24/7, it’s entirely feasible that he could’ve had a script automate the log in after the passcode was entered and then stayed logged in. Or, send the text message to him. Or something.

        As for the browser alerting him that it wasn’t secure, why wouldn’t it be secure? A phisher can create a fake lookalike Google log in page and buy a TLS certificate and blam, it shows up green on your browser.

        e.g.:

        https://www.wired.com/2017/04/sneaky-exploit-allows-phishing-attacks-sites-look-secure/

        Transcript from this episode:

        ALEX BLUMBERG: Yeah, so how does that work? So what did he do? He–he was like–what- what–what was I putting my actual two-factor authentication code into?

        PHIA: What you put it into is his own little page that then forwarded it–

        ALEX BLUMBERG: That’s on his computer.

        PHIA: Yeah. So, that’s on a server. And, when you put in your username and your password on his page, he just immediately forwarded that to a real Gmail login. And from there, because he put in your username and password, a two-factor code was texted to you.

        And, when you then put that again into his fake page, he immediately put that into the real Gmail login page and he was completely into your Gmail. And the server he was using was actually based in New York, so if you check where you’ve recently signed into Gmail, it will show a New York-based location, which is what Daniel says, they would really do if it was a targeted phishing attempt.

        • Daniel Boteanu June 29, 2017 at 12:59 pm #

          That’s exactly what happened. The phishing server was programmed to send the two-factor code to Google the instant it received it from the user, to establish an authenticated session under that account. Everything was pre-programmed to work without user intervention after the phishing emails were sent.

          This was not just a theoretical test, it was done in practice and, without spoiling the episode, a session was established on Alex’s Google account. His Google account history page would even show that.

          This is not to say that two-factor authentication is not a good idea. Having two-factor authentication is better than not having it, especially if you use the Authenticator app on your phone, but it does not render you unhackable.

  4. John-Y128 June 26, 2017 at 6:14 am #

    “The domain was legitimate, so it wouldn’t have gotten picked up by a spam filter.” Wasn’t the domain changed from @gimletmedia.com to @gimletrnedia.com, making it illegitimate and eligible for a spam filter?

    • jack June 26, 2017 at 6:04 pm #

      By that, I meant that the email header wasn’t forged. That is, you send it from server B and pretend it’s being sent from server A. The phisher really had registered an email server at gimletrnedia.com, so a spam filter, which would easily pick up a forged email header, didn’t flag it for that reason.

      • John-Y128 June 27, 2017 at 5:46 am #

        Thanks, seems there is no way anybody can avoid these problems, except by unplugging.

  5. Chuck June 29, 2017 at 9:18 am #

    That’s why I use Yubico Y2F, a fake site wouldn’t understand it.

  6. Bob Spencer June 29, 2017 at 1:59 pm #

    Nothing special here. This is done by all phishing framework and is a trick so old… :/

  7. Martin July 5, 2017 at 12:58 pm #

    Well, as usual, the problem is and will continue to be Layer 8.

  8. Glenn Charles July 26, 2017 at 3:13 pm #

    Someone over at PCMag (as I recall) did that about two years back. However, in this case what he did was CALL Google and sweet-talk someone (by sounding convincing enough and knowing some of the verifications for “lost password”) into changing the reference phone number–and, of course, he’d lost his password. It took him “about half an hour” but wasn’t particularly hard. Social factors are security’s biggest enemy, from honey pots to habits.

  9. Eby T August 18, 2017 at 6:20 am #

    nice post

Leave a Reply

 

Free Learning

 

Don't miss a single tip, how to or tech news update. Subscribe to my free newsletter and receive updates, right to your inbox.

You have Successfully Subscribed!

479 Shares
Share
Share
Buffer
+1
Tweet