A Phisher Hacked Gmail’s Two-Factor Authentication – Here’s How He Did It
2-step verification makes your Google account exponentially more secure. But you still aren’t invincible to hackers.
Here at groovyPost, we are constantly pushing 2-step authentication as a way to secure your online accounts. I’ve been using 2-factor Gmail authentication for quite some time and I must say, it makes me feel very safe. For those who don’t use it, 2-step authentication means you have to use your password to log in and one other unique code (usually sent via text, phone call, or an app likeĀ Google Authenticator). True, it’s a bit of a pain, but it feels worth it to me. I’ve actually seen instances where it’s stymied a hacking attempt (that is, I got 2-factor texts on my phone when I wasn’t trying to log in, which means someone correctly entered my password).
So, the other week, it shocked me when I heard on the Reply All podcast that a hacker had successfully phished someone using 2-step Gmail verification. This was in the episode entitled What Kind of Idiot Gets Phished?Ā It’s a great episode, so I won’t spoil it for you by telling who the “idiot” was, but I will tell you some of the tricks they used.
1. Look alikeĀ domain names
The hacker had permission from the show’s producers to try to hack the staff. But they didn’t have any insider access to their servers. But the first step to pwning their targets was spoofing a coworker’s email address. See, the person whose email they spoofed was:
phia@gimletmedia.com
The email address that the phisher used was this:
phia@gimletrnedia.com
Can you tell the difference? Depending on the font, you may not have noticed that the word “media” in the domain name is actually spelled r-n-e-d-i-a. The r and n smushed together look like an m. The domain was legitimate, so it wouldn’t have gotten picked up by a spam filter.
2. Convincing Attachments and Body Text
The trickiest part of the phishing email was that it sounded extremely legit. Most of the time, you can spot a shady email from a mile away by its weird characters and broken English. But this phisher pretended to be a producer sending a piece of audio to a team for editing and approval. Coupled with the convincing domain name, it seemed very believable.
3. Fake 2-Step Gmail Login Page
This was the tricky one. So, one of the attachments sent was a PDF in Google Docs. Or so it seemed. When the victim clicked the attachment, it prompted them to log into Google Docs, as you sometimes have to do even when you’re logged into Gmail already (or so it seems).
And here’s the clever part.
The phisher created a fake login page that sent aĀ real 2-factor authentication request to Google’s real server, even though the login page was completely fake. So, the victim got a text message just like normal, and then when prompted, put it into the fake login page. The phisher then used that info to gain access to their Gmail account.
Phished.
So, does this mean 2-factor authentication is broken?
I’m not saying that 2-step authentication doesn’t do its job. I still feel safer and more secure with 2-factor enabled, and I’m going to keep it that way. But hearing this episode made me realize that I’m still vulnerable. So, consider this a cautionary tale. Don’t get overconfident, and layer on the security measures to protect yourself from the unimaginable.
Oh, by the way, the genius hacker from the story is: @DanielBoteanu
Do you use 2-step authentication? What other security measures do you use?
17 Comments
Leave a Reply
Leave a Reply
Vic
June 20, 2017 at 12:42 pm
I do use two-party authentication but I only access websites by typing the name in, not clicking on links.
Lotus
June 20, 2017 at 5:57 pm
What then are the additional measures to be taken?How do we secure surfing the web with Google?Both issues need to be dealt with.Google is still offering a better search result compared to DuckDuckGo.
I will be grateful if anyone lets me know the best settings and add-ons( with their optimum settings)for Firefox.I also use Epic Browser( uses Bing and so search results remain limited vis a vis Google).Thanks,
Jack Busch
June 23, 2017 at 6:52 pm
You can spot a phishing site by checking to see if it is https. In Chrome and other modern browsers, the url bar will be green. Note that phishers sometimes use https, so click the lock icon to verify that the publisher is who you expect it is. More info:
https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-safety-is-https-enough/
As depressing as it is though, you’ll never be 100% safe just like you’ll never be 100% risk free driving on the highway. But staying vigilant and diligent about best practices can help
Phil
June 25, 2017 at 8:55 pm
A text message was received? – if Google authenticator or even better Authy is used then the code changes every 30 seconds, which would make it almost impossible – Especially if entering the code just before it changes
M. MĆ«non
June 28, 2017 at 4:39 pm
LOL! That’s exactly what I am thinking. The above article assumes that the hacker is sitting around 24/7 waiting for you to access your email sometime in the future and click on that link. Furthermore, the article fails to mention that the many browsers alert you if the page you are entering information into is not secure. These kinds of articles do more harm than good – because they give lazy internet users one more reason to not mess with 2FA.
Jack Busch
June 28, 2017 at 6:03 pm
Regarding waiting around 24/7, it’s entirely feasible that he could’ve had a script automate the log in after the passcode was entered and then stayed logged in. Or, send the text message to him. Or something.
As for the browser alerting him that it wasn’t secure, why wouldn’t it be secure? A phisher can create a fake lookalike Google log in page and buy a TLS certificate and blam, it shows up green on your browser.
e.g.:
https://www.wired.com/2017/04/sneaky-exploit-allows-phishing-attacks-sites-look-secure/
Transcript from this episode:
ALEX BLUMBERG: Yeah, so how does that work? So what did he do? Heāhe was likeāwhat- whatāwhat was I putting my actual two-factor authentication code into?
PHIA: What you put it into is his own little page that then forwarded itā
ALEX BLUMBERG: Thatās on his computer.
PHIA: Yeah. So, thatās on a server. And, when you put in your username and your password on his page, he just immediately forwarded that to a real Gmail login. And from there, because he put in your username and password, a two-factor code was texted to you.
And, when you then put that again into his fake page, he immediately put that into the real Gmail login page and he was completely into your Gmail. And the server he was using was actually based in New York, so if you check where youāve recently signed into Gmail, it will show a New York-based location, which is what Daniel says, they would really do if it was a targeted phishing attempt.
Daniel Boteanu
June 29, 2017 at 12:59 pm
That’s exactly what happened. The phishing server was programmed to send the two-factor code to Google the instant it received it from the user, to establish an authenticated session under that account. Everything was pre-programmed to work without user intervention after the phishing emails were sent.
This was not just a theoretical test, it was done in practice and, without spoiling the episode, a session was established on Alex’s Google account. His Google account history page would even show that.
This is not to say that two-factor authentication is not a good idea. Having two-factor authentication is better than not having it, especially if you use the Authenticator app on your phone, but it does not render you unhackable.
John-Y128
June 26, 2017 at 6:14 am
“The domain was legitimate, so it wouldnāt have gotten picked up by a spam filter.” Wasn’t the domain changed from @gimletmedia.com to @gimletrnedia.com, making it illegitimate and eligible for a spam filter?
jack
June 26, 2017 at 6:04 pm
By that, I meant that the email header wasn’t forged. That is, you send it from server B and pretend it’s being sent from server A. The phisher really had registered an email server at gimletrnedia.com, so a spam filter, which would easily pick up a forged email header, didn’t flag it for that reason.
John-Y128
June 27, 2017 at 5:46 am
Thanks, seems there is no way anybody can avoid these problems, except by unplugging.
Chuck
June 29, 2017 at 9:18 am
That’s why I use Yubico Y2F, a fake site wouldn’t understand it.
Bob Spencer
June 29, 2017 at 1:59 pm
Nothing special here. This is done by all phishing framework and is a trick so old… :/
Martin
July 5, 2017 at 12:58 pm
Well, as usual, the problem is and will continue to be Layer 8.
Glenn Charles
July 26, 2017 at 3:13 pm
Someone over at PCMag (as I recall) did that about two years back. However, in this case what he did was CALL Google and sweet-talk someone (by sounding convincing enough and knowing some of the verifications for “lost password”) into changing the reference phone number–and, of course, he’d lost his password. It took him “about half an hour” but wasn’t particularly hard. Social factors are security’s biggest enemy, from honey pots to habits.
Eby T
August 18, 2017 at 6:20 am
nice post
Jack Busch
August 18, 2017 at 6:39 am
Thanks
noneof yourbusiness
December 4, 2017 at 1:24 am
I do not use 2FA becasue it mostly runs across an outdated telephony infrastructure that the Telcos refuse to upgrade. ANd there are countless incidents where someone get hacked due to their blind faith that 2FA is actually secure. It is a bain-aid / speed bump atempt to patch the alrger issue of online security that does not work. Let’s not kid ourselves — 2FA is essentially a 2nd “password” so having 2 passwords instead of 1 is simply more cumbersome for the end user and takes slightly more time for nefarious access. Sorry but end users falling for scams is on that user and end users that cannot be bothered to put secure passwords on something like their bank account instead of “fluffy14” again I blame the end user. We have had the Internet for 20+ years now and grown adults act like children needing their hands held because they are too lazy to care about securing their critical content.