Google and Yahoo have been targeted in new phishing attacks that are able to bypass two-factor authentication (2FA). Secure email services are also victims of these attacks as they can be successfully compromised, researchers said in a report published by Amnesty International. It appears that attackers are exploiting various methods to infiltrate accounts belonging to users from the Middle East and North Africa.
Tricky Phishing Campaigns Bypass 2FA
The researchers believe that all the campaigns are carried out by the same group that targets Human Rights Defenders (HRDs). One of the campaigns is targeting hundreds of Google and Yahoo accounts, and has led to the successful bypass of common forms of 2FA. This campaign has been active in 2017 and 2018, as evident by copies of phishing emails sent to HRDs and journalist in the above-mentioned regions.
Amnesty International obtained these copies and investigated them, and discovered that most targeted users were from United Arab Emirates, Yemen, Palestine and Egypt. The phishing email distributed in this campaign used a specially crafted “security alert” that tricked targets into visiting malicious domains that were made to look like Google and Yahoo. What stands out in this phishing operation is the method used to bypass 2FA, and the registration of domains which strikingly resemble the original, legitimate services.
These fake sites also use transport encryption. This enables the well-recognized padlock on the left side of the browser’s address bar, which users have over the years been often taught to look for when attempting to discern between legitimate and malicious sites, said Amnesty International.
Amnesty International has also identified several well-crafted phishing sites for the popular email services Tutanota and ProtonMail. These email service providers are marketed as “secure email” solutions and have consequently gained some traction among activists, so the phishing campaigns against them are indeed dangerous.
These sites contain several elements that make them especially difficult for targets to identify as fakes. For instance, the attackers managed to obtain the domain tutanota.org and used it to almost completely replicate the original website for the Tutanota service, which is actually located at tutanota.com, the researchers said in their report.