So, the other week, it shocked me when I heard on the Reply All podcast that a hacker had successfully phished someone using 2-step Gmail verification. This was in the episode entitled What Kind of Idiot Gets Phished? It’s a great episode, so I won’t spoil it for you by telling who the “idiot” was, but I will tell you some of the tricks they used.
1. Look alike domain names
The hacker had permission from the show’s producers to try to hack the staff. But they didn’t have any insider access to their servers. But the first step to pwning their targets was spoofing a coworker’s email address. See, the person whose email they spoofed was: phia@gimletmedia.com The email address that the phisher used was this: phia@gimletrnedia.com Can you tell the difference? Depending on the font, you may not have noticed that the word “media” in the domain name is actually spelled r-n-e-d-i-a. The r and n smushed together look like an m. The domain was legitimate, so it wouldn’t have gotten picked up by a spam filter.
2. Convincing Attachments and Body Text
The trickiest part of the phishing email was that it sounded extremely legit. Most of the time, you can spot a shady email from a mile away by its weird characters and broken English. But this phisher pretended to be a producer sending a piece of audio to a team for editing and approval. Coupled with the convincing domain name, it seemed very believable.
3. Fake 2-Step Gmail Login Page
This was the tricky one. So, one of the attachments sent was a PDF in Google Docs. Or so it seemed. When the victim clicked the attachment, it prompted them to log into Google Docs, as you sometimes have to do even when you’re logged into Gmail already (or so it seems). And here’s the clever part. The phisher created a fake login page that sent a real 2-factor authentication request to Google’s real server, even though the login page was completely fake. So, the victim got a text message just like normal, and then when prompted, put it into the fake login page. The phisher then used that info to gain access to their Gmail account. Phished.
So, does this mean 2-factor authentication is broken?
I’m not saying that 2-step authentication doesn’t do its job. I still feel safer and more secure with 2-factor enabled, and I’m going to keep it that way. But hearing this episode made me realize that I’m still vulnerable. So, consider this a cautionary tale. Don’t get overconfident, and layer on the security measures to protect yourself from the unimaginable. Oh, by the way, the genius hacker from the story is: @DanielBoteanu Do you use 2-step authentication? What other security measures do you use? I will be grateful if anyone lets me know the best settings and add-ons( with their optimum settings)for Firefox.I also use Epic Browser( uses Bing and so search results remain limited vis a vis Google).Thanks, http://blog.trendmicro.com/trendlabs-security-intelligence/phishing-safety-is-https-enough/ As depressing as it is though, you’ll never be 100% safe just like you’ll never be 100% risk free driving on the highway. But staying vigilant and diligent about best practices can help As for the browser alerting him that it wasn’t secure, why wouldn’t it be secure? A phisher can create a fake lookalike Google log in page and buy a TLS certificate and blam, it shows up green on your browser. e.g.: https://www.wired.com/2017/04/sneaky-exploit-allows-phishing-attacks-sites-look-secure/ Transcript from this episode: ALEX BLUMBERG: Yeah, so how does that work? So what did he do? He–he was like–what- what–what was I putting my actual two-factor authentication code into? PHIA: What you put it into is his own little page that then forwarded it– ALEX BLUMBERG: That’s on his computer. PHIA: Yeah. So, that’s on a server. And, when you put in your username and your password on his page, he just immediately forwarded that to a real Gmail login. And from there, because he put in your username and password, a two-factor code was texted to you. And, when you then put that again into his fake page, he immediately put that into the real Gmail login page and he was completely into your Gmail. And the server he was using was actually based in New York, so if you check where you’ve recently signed into Gmail, it will show a New York-based location, which is what Daniel says, they would really do if it was a targeted phishing attempt. This was not just a theoretical test, it was done in practice and, without spoiling the episode, a session was established on Alex’s Google account. His Google account history page would even show that. This is not to say that two-factor authentication is not a good idea. Having two-factor authentication is better than not having it, especially if you use the Authenticator app on your phone, but it does not render you unhackable. Comment Name * Email *
Δ Save my name and email and send me emails as new comments are made to this post.
