Hackers are getting smarter in fooling us all, and now they are using sophisticated hacking schemes to get into your Gmail.
Yes, Iranian hackers have now discovered a new way to fool Gmail's tight security system by bypassing its two-step verification – a security process that requires a security code (generally sent via SMS) along with the password in order to log into Gmail account.
Researchers at Citizen Lab released a report on Thursday which shows how the hackers are using text messages and phone-based phishing attacks to circumvent Gmail's security and take over the Gmail accounts of their targets, specifically political dissidents.
The report detailed and elaborated three types of phishing attacks aimed at Iranian activists. Researchers also found one such attack targeting Jillian York, the Director for International Freedom of Expression at the Electronic Frontier Foundation.
Here's How the Attack Works
Via Text Messages:
In some cases, the hackers use text messages and send it to their targets. The message appears to come from Google, which warns users of an unauthorized attempt to access their Gmail accounts.
The text message then follows a carefully crafted email notification, also disguised to be from Google, that redirects victims to a "Password Reset Page," designed to collect the victim's password.
The hackers then, in real time, use the password to login to the victim's account and trigger the sending of a security code to the target.
Gmail uses this security code as a two-factor authentication that adds an extra layer of security on top of a Gmail user's password.
After this, the hackers wait for the targeted victim to enter the code and then collect it through the bogus website, and then use it to take control of the victim's Gmail account.
Via Phone Call:
In other cases, the hackers contact a target over the phone regarding some fake business proposals that usually promises thousands of dollars.
The fake proposal is then send to the victim's Gmail account containing a fake Google Drive link that would prompt a victim to login with the Google credentials as well as the two-factor identification code, just like in the case of the text messages.
The users fell for the phishing attacks, as some hackers pretend to be Reuters journalists who wanted to arrange an interview.
Attempts to fool two-factor authentication security are nothing new. We have seen hackers releasing millions of Gmail usernames and passwords on underground online forums.