Here at groovyPost, we are constantly pushing 2-step authentication as a way to secure your online accounts. I’ve been using 2-factor Gmail authentication for quite some time and I must say, it makes me feel very safe. For those who don’t use it, 2-step authentication means you have to use your password to log in and one other unique code (usually sent via text, phone call, or an app like Google Authenticator). True, it’s a bit of a pain, but it feels worth it to me. I’ve actually seen instances where it’s stymied a hacking attempt (that is, I got 2-factor texts on my phone when I wasn’t trying to log in, which means someone correctly entered my password).
So, the other week, it shocked me when I heard on the Reply All podcast that a hacker had successfully phished someone using 2-step Gmail verification. This was in the episode entitled What Kind of Idiot Gets Phished? It’s a great episode, so I won’t spoil it for you by telling who the “idiot” was, but I will tell you some of the tricks they used.
1. Look alike domain names
The hacker had permission from the show’s producers to try to hack the staff. But they didn’t have any insider access to their servers. But the first step to pwning their targets was spoofing a coworker’s email address. See, the person whose email they spoofed was:
The email address that the phisher used was this:
Can you tell the difference? Depending on the font, you may not have noticed that the word “media” in the domain name is actually spelled r-n-e-d-i-a. The r and n smushed together look like an m. The domain was legitimate, so it wouldn’t have gotten picked up by a spam filter.
2. Convincing Attachments and Body Text
The trickiest part of the phishing email was that it sounded extremely legit. Most of the time, you can spot a shady email from a mile away by its weird characters and broken English. But this phisher pretended to be a producer sending a piece of audio to a team for editing and approval. Coupled with the convincing domain name, it seemed very believable.
3. Fake 2-Step Gmail Login Page
This was the tricky one. So, one of the attachments sent was a PDF in Google Docs. Or so it seemed. When the victim clicked the attachment, it prompted them to log into Google Docs, as you sometimes have to do even when you’re logged into Gmail already (or so it seems).
And here’s the clever part.
The phisher created a fake login page that sent a real 2-factor authentication request to Google’s real server, even though the login page was completely fake. So, the victim got a text message just like normal, and then when prompted, put it into the fake login page. The phisher then used that info to gain access to their Gmail account.
So, does this mean 2-factor authentication is broken?
I’m not saying that 2-step authentication doesn’t do its job. I still feel safer and more secure with 2-factor enabled, and I’m going to keep it that way. But hearing this episode made me realize that I’m still vulnerable. So, consider this a cautionary tale. Don’t get overconfident, and layer on the security measures to protect yourself from the unimaginable.
Oh, by the way, the genius hacker from the story is: @DanielBoteanu
Do you use 2-step authentication? What other security measures do you use?