Gmail, from Google, is one of the main services that use this login method
Network security and ethical hacking specialists from the International Institute of Cyber security ensure that malicious actors have been developing their methods to deploy phishing campaigns to the point where they are able to bypass multi factor authentication.
“There has been a significant increase in the number of phishing attacks capable of bypassing two-factor authentication (2FA)”, experts commented.
This phishing variant works by tricking the victim into revealing your password and a one-use code that protects your email account. This code of a use is very difficult to get for hackers, as it is sent to the phone number linked to the email account and expires less than a minute later.
A few months ago, Amnesty International detected a group of hackers who managed to bypass the authentication of two factors using an automatic phishing tool capable of extracting the keys and entering them on the legitimate platform. Subsequently, a network security expert launched a set of open source tools that worked in a similar way.
Because this one-use code is sent via SMS, any technique to intercept these utensils will be useful to complete the attack. Therefore, two-factor authentication is primarily vulnerable to attacks against the SMS system.
Google, which uses this authentication system for its Gmail service, is deploying a hacking prevention campaign, mainly through blocking logins from unknown locations. The company has also alerted users to possible emails with malicious links or attachments.
According to network security specialists, the best way to prevent this kind of attack is with hardware solutions, such as the USB security keys. These tools eliminate the need to receive a key by SMS, because the hardware itself works as a second way of authentication.
By Google policy, for example, all of its employees carry one of these security keys and, although their price is not the most economical, cybersecurity experts reaffirm that, so far, this is the best way to prevent phishing attacks.
The news about these phishing variants is a reminder to any user about how important it is to check what goes into your email. The operators of these campaigns will always try to impersonate legitimate services, such as streaming platforms or accounts in applications developed by third parties; It is the responsibility of each user to distinguish between legitimate and malicious content and know how to act in case of finding a phishing attempt.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.