A recent phishing campaign targeting US government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, researchers said Thursday. The event underscores the risks of 2fa that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones.

Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets’ level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages. When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets’ accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password.

“In other words, they check victims’ usernames and passwords in realtime on their own servers, and even if 2 factor authentication such as text message, authenticator app or one-tap login are enabled they can trick targets and steal that information too,” Certfa Lab researchers wrote.

In an email, a Certfa representative said company researchers confirmed that the technique successfully breached accounts protected by SMS-based 2fa. The researchers were unable to confirm the technique succeeded against accounts protected by 2fa that transmitted one-time passwords in apps such as Google Authenticator or a compatible app from Duo Security.

“We’ve seen [it] tried to bypass 2fa for Google Authenticator, but we are not sure they’ve managed to do such a thing or not,” the Certfa representative wrote. “For sure, we know hackers have bypassed 2fa via SMS.”

One-time passwords can be phished, but not security keys

In theory, there’s little reason the technique shouldn’t work against Google Authenticator and other 2fa apps that either transmit a one-time password or ask people to click an approval button. Once a target enters a password on what she believes is the authentic Gmail or Yahoo Mail site, she will either open the 2fa app as instructed in the fake redirection or get a push notification from the phone app. As long as the target responds within an allotted amount of time (usually 30 seconds), the attackers will gain access. The only thing 2fa has done in this scenario is add an extra step.

The notable exception is that this attack is impossible, at least in theory, against 2fa that uses an industry-standard security key. These keys connect through a computer USB or by using Bluetooth or Near Field Communication on a phone. Gmail and other types of Google accounts currently have the ability to work with keys that conform to U2F, a standard developed by an industry consortium known as the Fido Alliance. A two-year study of more than 50,000 Google employees concluded that the security keys beat smartphones and most other forms of two-factor verification in both security and ease of use.

Google also offers an Advanced Protection Program that requires security keys to be used as the sole means of 2fa when accessing Gmail and other types of Google accounts. While that’s a step many organizations may not be ready to adopt, it still makes sense for ordinary people to get in the habit of using a security key as much as possible even though app-based 2fa remains available as a fall-back form of authentication. The goal of this strategy is to train users to be suspicious if the site they’re logging into tells them to use their 2fa app instead of the key they normally use.

The phishing campaign reported by Certfa was effective for other reasons besides its bypass of 2fa. For instance, it hosted malicious pages on sites.google.com and sent emails from addresses such as notifications.mailservices@gmail.com and noreply.customermails@gmail.com to give the impression the content was officially connected to Google. The phishers also dedicated more than 20 separate Internet domains to better tailor their targets’ use of email services on computers and phones.

Certfa said some of the domains and IP addresses used in the campaign connect the phishers to “Charming Kitten,” a hacker group previously linked to the Iranian government. The latest campaign started weeks before the US reimposed sanctions on Iran’s government in early November. The phishing targeted individuals who are involved in the sanctions as well as politicians, civil and human rights activists, and journalists around the world. According to the Associated Press, targets included high-profile defenders, detractors, and enforcers of the nuclear deal struck between Washington and Tehran, Arab atomic scientists, Iranian civil society figures, Washington think-tank employees, and more than a dozen US Treasury officials.