Sneaky phishing campaign beats two-factor authentication


Protecting an account with multi-factor authentication (MFA) is a no-brainer, but that doesn’t mean every method for doing this is equally secure.

Take SMS authentication, for example, which in recent times has been undermined by various man-in-the-middle and man-in-the-browser attacks as well as SIM swap frauds carried out by tricking mobile providers.

This week, researchers at Certfa Lab said they’d detected a recent campaign by the Iranian ‘Charming Kitten’ group (previously blamed for the 2017 HBO hack) that offers the latest warning that SMS authentication is not the defence it once was.

The targets in this campaign were high-value individuals such as US Government officials, nuclear scientists, journalists, human rights campaigners, and think tank employees.

Certfa’s evidence comes from servers used by the attackers which contained a list of 77 Gmail and Yahoo email addresses, some of which were apparently successfully compromised despite having SMS verification turned on.

We don’t normally get a chance to peer inside attacks that are as targeted as this one, let alone ones prodding 2FA for weaknesses.

Read more…