In the ever-changing cat and mouse game that is Cyber Security, one of the latest "Good Guy" weapons has had its weakness exposed.  Two-Factor Authentication, thought to be a major improvement, is now little more than an extra step attacker must work around

A recent campaign by the Iranian "Charming Kitten' group (previously blamed for the 2017 HBO hack) that targeted US government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail. The event underscores the risks of 2FA that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones.

The attackers collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets' level of operational security.  The campaign was built around the old idea of sending a fake alert from a plausible-looking address such as  Google sends out alerts from time-to-time, so some folks might be tricked by this but there were other tweaks employed to boost its chances even further, such as:

  • Hosting phishing pages and files on, a Google sub-domain.
  • Sending the email alert as a clickable image hosted on Firefox Screenshot rather than URL text which might trip Google's anti-phishing system.
  • Tracking who has opened emails by embedding a tiny 1×1 "beacon" pixel that is hosted and monitored from an external website (marketers have used this technique for years, which is why it's a good idea to turn automatic image loading off in email programs).

This tracking pixel is the key to how the attackers were able to break 2FA because it alerted the attackers in real time as targets viewed the messages.  When targets entered passwords into a fake Gmail or Yahoo security page, the attackers almost simultaneously entered the credentials into a real login page. If the accounts are protected by 2FA, the attackers redirected targets to a new page that requests a one-time password.

At this stage, the game is mostly over.  Since the attackers are manipulating the genuine email site in real time, a genuine SMS is sent to the victim's phone in response to the attacker's login request.  When the target enters the SMS verification number on the fake page, the attackers immediately transfer this to the real page and they're in.  In the case of an authenticator app, the process is virtually the same.  They pass along any request for a number supplied by the authenticator app, or one of the newer requests that ask you to pick one of the numbers displayed on the authenticator app and approve it.  If they get a response back that can be entered on the real page within the 30 second time window required by the app, they're in.  If the victim selects the correct number and approves it within the 30 second window, again, they're in.  Classic Man-In-The-Middle.

The one exception to this is an industry-standard security key.  These keys connect through a computer's USB port or by using Bluetooth or Near Field Communication on a phone. Gmail and other types of Google accounts will currently work with keys that conform to U2F, a standard developed by an industry consortium known as the Fido Alliance. A two-year study of more than 50,000 Google employees concluded that the security keys beat smartphones and most other forms of two-factor verification in both security and ease of use.

Google also offers an Advanced Protection Program that requires security keys to be used as the sole means of 2FA when accessing Gmail and other types of Google accounts. While that's a step many organizations may not be ready to adopt, it still makes sense for ordinary people to get in the habit of using a security key as much as possible and keeping the app-based 2FA available as a fall-back form of authentication. The goal of this strategy is to train users to be suspicious if the site they're logging into tells them to use their 2FA app instead of the key they normally use.

This particular attack was aimed at high-value targets that were thoroughly investigated prior to the event.  Considering the amount of overhead the attackers had to employ, it is likely not a cost-effective methodology for going after common users"¦for the moment.  This is PRECISELY why you need to take steps to prevent it NOW.  It all comes down to training, you gotta THINK before you click that link!!