Securing your online accounts with two-factor authentication can be an effective way to ward off hackers. But the system isn't perfect. One mysterious group has been defeating the account protection in attempts to phish upwards of 1,000 people, according to the human rights group Amnesty International.

The group today published a report documenting the phishing attacks, which have been targeting journalists and activists based in the Middle East and North Africa through the use of phony emails and login pages.

The goal behind the attacks has been to trick victims into handing over access to their Google and Yahoo accounts, even when SMS-based two-factor authentication is in place. "What makes these campaigns especially troubling is the lengths to which they go to subvert the digital security strategies of their targets," Amnesty International said in its report.

For the uninitiated, two factor-authentication is a safeguard designed to protect your online account in the event your password is stolen. It works like this: when you try to access the account, you not only have to enter your login credentials, but also a special one-time passcode that's been generated over your phone.

Unfortunately, the special passcodes generated by two-factor authentication systems are usually just a string of a random numbers, which can make them easy to phish; all the hacker has to do is to trick you into giving up the special codes.

Amnesty International said the group of hackers they've been tracking pulls this off by sending out fake but convincing security alerts that look like they came from Google or Yahoo. The alerts will claim the victim's account may have been breached and provide a link to an official-looking login page to initiate a password reset.

"To most users a prompt from Google to change passwords would seem a legitimate reason to be contacted by the company, which in fact it is," Amnesty International said. But in reality, the login pages are fake.

The hackers created the phony process to both phish the victim's password and the special two-factor authentication code. Amnesty International has been investigating the scheme based on suspicious emails the group has been receiving from human rights activists and journalists. To test out the attacks, the group created a disposable Google account and then clicked through one of the phishing emails.

"Sure enough, our configured phone number did receive an SMS message containing a valid Google verification code," Amnesty said in its report.

The group also investigated how the hackers were creating their phishing schemes and noticed that the mysterious group accidentally made public an online directory they were using to host their attacks. The information revealed the hackers were using web application testing tools to automate the phishing process.

"Essentially, they built an 'auto-pilot' system that would launch Chrome and use it [to] automatically submit the login details phished from the user to the targeted service, including two-step verification codes sent for example via SMS," said Claudio Guarnieri, a technologist at Amnesty, in a tweet.

The hackers' automated process is important because it lets them input the special one-time passcode into the real Google or Yahoo login page, before the time-limit on the passcode runs out.

Typically those concerned about getting 2FA codes via SMS can also do so via an authenticator app, which serves up codes that change every few seconds. Amnesty did not immediately respond to PCMag's request for comment about whether this affects such apps, but a technologist there told Motherboard that "the same approach could potentially be used to phish codes from a 2FA app such as Google Authenticator."

The human rights group still recommends people adopt two-factor authentication, but to be aware that the system does have limitations. So don't be fooled into thinking you're completely safe. For example, government-sponsored hackers have the resources to create elaborate phishing schemes to crack the safeguard. They can also attempt to infect your PC with malware.

However, it is important that especially individuals at risk are aware of the limitations of certain mitigations. Telling them that with any 2FA they are safe is incorrect and might lower their level of caution and ironically expose them even more to competent attackers. — nex (@botherder) December 19, 2018

"Individuals at risk, human rights defenders above all, are very often targets of phishing attacks and it is important that they are equipped with the right knowledge," Amnesty said.

If you have extra money to spend, you can also invest in a security key to protect your online accounts. They work by substituting the two-factor authentication process with a hardware-based device, which needs to be inserted into your PC to log into the protected account. The big plus of a security key is that it's pretty hard for a hacker to steal; to do so, the attacker has to personally come and physically take it from you.

You can learn more about how they work here. Unfortunately, one key can cost between $25 to $50. Not every online service supports them either. But you can use them to protect your accounts on Google, Facebook, Dropbox, and Twitter.

Further Reading

Security Reviews