Certfa: Iranian state-backed hackers could bypass two-step verification in phishing attacks

Security company Certfa researchers report that Iranian state-backed hackers have recently used technology that can bypasses two-step certification for phishing attacks against US government officials, activists and journalists. This incident highlights the risk of SMS-based two-step authentication.

“Our investigation illustrates that the attackers are utilising different methods to carry out their attacks. These methods can be put into two categories:

1. Phishing attacks through unknown email or social media and messaging accounts
2. Phishing attacks through email or social media and messaging accounts of public figures, which have been hacked by the attackers“

By creating websites with the same design and look of Google Drive file sharing page, hackers pretend to be sharing a file with the user, which they should download and run it on their devices. They use hacked Twitter, Facebook and Telegram accounts to send these links and target new users. The truth is there is not any file and the hackers use this page to direct their targets to the fake Google login page, which the users enter their credential details including 2 factor authentication.

When the target enters a password on a fake Gmail or Yahoo Mail login page, the attacker can enter the login credentials on the real login page in real time. If the target account is protected by 2-step authentication, the attacker can redirect the target to a new page requesting a one-time password. The phishing domain and IP address used by the hacker are associated with the hacker organization Charming Kitten, which is associated with the Iranian government.

Image: certfa