If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account.

Hackers can bypass these protections, as we’ve seen with leaked NSA documents on how Russian hackers targeted US voting infrastructure companies. But a new Amnesty International report gives more insight into how some hackers break into Gmail and Yahoo accounts at scale, even those with two-factor authentication (2FA) enabled.

They do this by automating the entire process, with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account.

The news acts as a reminder that although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message, with some users likely needing to switch to a more robust method.

“Virtually in that way they can bypass any token-based 2FA if no additional mitigations are implemented” Claudio Guarnieri, a technologist at Amnesty, told Motherboard in an online chat.

2FA is adding another layer of authentication onto your account. With token-based 2FA, you may have an app that generates a code for you to enter when logging in from an unknown device, or, perhaps most commonly, the service will send a text message containing a short code that you then type into your browser.

"It is not a capability reserved to the big sophisticated actors."

This sort of 2FA is great for protecting against password reuse. That is, if a hacker obtains one of your passwords from a data breach, and then tries that password on your other accounts, if you have 2FA enabled the hacker is probably not going to break in without taking some further steps. Many lower level hackers are likely to just stop trying at that point.

But token-based 2FA is not a failsafe. It’s increasingly clear that as well as trying to steal your passwords through deceptive phishing pages, hackers may try and pinch your 2FA code too. And by automating the process, hackers can steal and use your 2FA token just like you would, entering it into the legitimate Google site or another one in seconds.

In this latest case documented by Amnesty, it estimates hackers have targeted more than a thousand Google and Yahoo accounts across the Middle East and North Africa throughout 2017 and 2018. The attacks are likely originating from among the Gulf countries, and display similarities to a hacking campaign that researchers at Citizen Lab found that targets dissidents in the United Arab Emirates, Amnesty’s report reads.

The phishing starts normally, with a fake Gmail page asking the target for their password. Once the target enters that, the hacker’s infrastructure directs the victim to another page, alerting them that they had been sent a 2FA code via SMS to the phone they registered to their account.

“Sure enough, our configured phone number did receive an SMS message containing a valid Google verification code,” Amnesty’s report reads. The phishing page then asks the victim to enter their 2FA code. Some phishing pages asked the victim to verify their phone number, while others did not, Guarnieri said.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

In its investigation, Amnesty found the servers hosting the Gmail and Yahoo phishing sites had exposed file directories, revealing exactly what process the hackers’ had used to phish targets’ credentials and 2FA tokens. The phishing tool essentially carries out what a user would usually accomplish with a web browser, meaning the specific URLs the hackers’ tools visited are included in their Chrome history. Although the URLs in the report relate to a hijacking of a Yahoo account, Guarnieri told Motherboard the process is the same for Gmail.

To perhaps visualise this better, there is no hacker sitting behind a keyboard, waiting for the victim to hand over their details. No one is furiously entering the 2FA code while it is still valid. Instead, the process automates all of that, with servers whirring away ready to do the work.

Behind the scenes, the hackers’ servers take the victim’s phished credentials, enters them into the legitimate email service, which then returns a request for a 2FA code (the real service then sending the code to the user’s phone.) The hackers’ server asks the victim for that code, which the hacker then passes back to the real service in order to login, all at around the same speed it would take to log-in ordinarily. The hackers’ tool then automatically creates an App Password—a separate password that lets third party applications have access to the email account—so the hackers can maintain a hold on the user’s account.

Although the examples Amnesty found were geared towards tokens sent via SMS, Guarnieri said the same approach could potentially be used to phish codes from a 2FA app such as Google Authenticator.

In another case, Amnesty says it found the hackers’ infrastructure automatically taking a Yahoo account and then transferring it over to Gmail, using a legitimate migration service called ShuttleCloud. This “allows the attackers to automatically and immediately generate a full clone of the victim’s Yahoo account under a separate Gmail account under their control,” the report reads.

On Thursday, in a separate investigation focused on the Iranian government-linked hacking group known as Charming Kitten, cybersecurity firm Certfa documented how another campaign has attempted to steal 2FA tokens. The hackers “direct their targets to the fake Google login page, which the users enter their credential details including 2 factor authentication,” the report reads.

An alternative to this phishable 2FA, as the Amnesty report notes, is for at risk people to use a hardware security token instead. This is a small device that typically plugs into your computer via USB, and authenticates your identity that way. Yubico sells a variety of these tokens called Yubikeys, and Google’s own Advanced Protection Program, which locks down an account from using third party applications, has its own hardware token. (When reached for comment, Google pointed to this Advanced Protection Program, as well as Google prompt, another form of 2FA.)

A Yahoo spokesperson told Motherboard in an email "The threat landscape is continually evolving, and we are committed to evolve with it to help keep our users secure. In 2015, we launched Yahoo Account Key, which does not utilize SMS, and encourage users to adopt this form of authentication."

On the investigated phishing campaign Guarnieri, the Amnesty technologist, said, “this particular setup is imperfect, but the lesson fundamentally is that with enough automation and enough care, these mechanisms can be bypassed and it is not a capability reserved to the big sophisticated actors,”.