Iranian hackers have found a way to circumvent Gmail’s sophisticated security system to target political dissidents, according to a report released Thursday.

ADVERTISEMENT

The report, by the Citizen Lab at the University of Toronto's Munk School of Global Affairs, details an elaborate phishing scheme that used phone and email to get around Google’s two-factor authentication process and hack targeted accounts.

Experts say that while the use of phishing schemes to fraudulently circumvent two-factor authentication is nothing new in the financial industry, the practice is less established in political attacks.

"It may be that, as a growing number of potential targets have begun using two-factor authentication on their email accounts out of a concern for their security, politically motivated attackers are borrowing from a playbook that financial criminals have written over the past decade," the report's authors write.

Citizen Lab senior research fellow John Scott-Railton told The Daily Beast that the targets include Iranian activists, including a director at the Electronic Frontier Foundation.

Iran has aggressively ramped up its cyber capabilities in the last four years. Researchers peg the country’s ability to launch a sophisticated cyberattack at a close fourth behind the U.S., Russia and China.

Here’s how the Iranian hackers gained access to targeted accounts, according to the report:

First, targets would receive text messages that appeared to be from Google, warning them that their accounts had been inappropriately accessed.

Then the hackers would send a follow-up email, also disguised to be from Google, directing targets to a “password reset page.” The password reset pages were phishing sites used to collect the target’s password.

Using the newly-acquired password, the hackers would log into the user’s account and trigger it to send the target an identification code, used as a second form of account security on top of a password.

Once the target entered the code in the fraudulent “password reset” website, the hackers could collect it and take control of the account.

Other attempts were done over the phone. Targets would receive a phone call regarding a fake business proposal. The fraudulent proposal would be sent to the target’s Gmail account with a fake Google Drive link that would prompt a login using the same phishing technique as the text message scheme.

Some of the hackers would pretend to be Reuters journalists who wanted to arrange an interview, Scott-Railton said.

The report emphasized the importance of two-factor authentication as these kinds of hacks grow.

There is one easy way to spot the fake password reset pages: Google uses https encryption. The hackers’ URL will begin with “http://”, not “https://”.