password dump - Online Cyber Security News

Here's How Iranian Hackers Can Hack Your Gmail Accounts

Sunday, August 30, 2015 Swati Khandelwal

Hackers are getting smarter in fooling us all, and now they are using sophisticated hacking schemes to get into your Gmail.

Yes, Iranian hackers have now discovered a new way to fool Gmail's tight security system by bypassing its two-step verification – a security process that requires a security code (generally sent via SMS) along with the password in order to log into Gmail account.

Researchers at Citizen Lab released a report on Thursday which shows how the hackers are using text messages and phone-based phishing attacks to circumvent Gmail's security and take over the Gmail accounts of their targets, specifically political dissidents.

The report detailed and elaborated three types of phishing attacks aimed at Iranian activists. Researchers also found one such attack targeting Jillian York, the Director for International Freedom of Expression at the Electronic Frontier Foundation.

Here's How the Attack Works

Via Text Messages:

In some cases, the hackers use text messages and send it to their targets. The message appears to come from Google, which warns users of an unauthorized attempt to access their Gmail accounts.

The text message then follows a carefully crafted email notification, also disguised to be from Google, that redirects victims to a "Password Reset Page," designed to collect the victim's password.

The hackers then, in real time, use the password to login to the victim's account and trigger the sending of a security code to the target.

Gmail uses this security code as a two-factor authentication that adds an extra layer of security on top of a Gmail user's password.

After this, the hackers wait for the targeted victim to enter the code and then collect it through the bogus website, and then use it to take control of the victim's Gmail account.

Via Phone Call:

In other cases, the hackers contact a target over the phone regarding some fake business proposals that usually promises thousands of dollars.

The fake proposal is then send to the victim's Gmail account containing a fake Google Drive link that would prompt a victim to login with the Google credentials as well as the two-factor identification code, just like in the case of the text messages.

The users fell for the phishing attacks, as some hackers pretend to be Reuters journalists who wanted to arrange an interview.

Attempts to fool two-factor authentication security are nothing new. We have seen hackers releasing millions of Gmail usernames and passwords on underground online forums.

5 Million Gmail Usernames and Passwords Leaked online, Check Yours Now

Wednesday, September 10, 2014 Swati Khandelwal

Gmail credentials leaked online? Oh my God! Again I have to change my password…!! Yes, you heard right. Millions of Gmail account credentials (email address and password) have been stolen and made publicly available through an online forum, causing a large number of users worldwide to change their Gmail password again.

The website that published the email addresses with matching passwords is Russian. The credentials seem to be old and likely sourced from multiple data breaches. It is believed that the leaked passwords are not necessarily those used to access Gmail accounts, but seem to have been gathered from other websites where users used their Gmail addresses to register.

5 MILLION GMAIL CREDENTIALS LEAKED ONLINE

The news broke when a user posted a link to the log-in credentials on Reddit frequented by hackers, professional and aspiring. But the archive file containing nearly 5 million Gmail addresses and plain text passwords was posted on Russian Bitcoin security forum known as btcsec.com on Tuesday night by a user with the online alias “tvskit”, according to C News, a Russian news outlet.

The user who exposed Gmail users’ credentials said that almost 4.93 million accounts allegedly affected belong to English, Russian and Spanish users and claimed that over 60 percent of accounts are active.

This means, there is a silver lining in this leak, i.e., 40 percent of the passwords are invalid or out of date, which could be a good news for those Gmail users who have recently changed their passwords and are concerned about their account’s security – there’s a chance that they’re not at risk at all.

"We can't confirm that it is indeed as much as 60 percent, but a great amount of the leaked data is legitimate," said Peter Kruse, the chief technology officer of CSIS Security Group.

GOOGLE SAYS NO SECURITY BREACH

Google, on its part, believes that the usernames and passwords didn’t come from a security breach of its system. That means, the credentials had been stolen by phishing campaigns and unauthorized access to user accounts.

"It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems," Google, which operates Gmail email service, explained in a post on its online security blog. "Often, these credentials are obtained through a combination of other sources."

"We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We've protected the affected accounts and have required those users to reset their passwords."

The leaked passwords not only give access to users’ Gmail accounts, but other Google services as well, including Google Drive, and the mobile payment system Google Wallet.

CHECK IF YOU ARE AFFECTED

A website called isleaked.com allows users to check if their email address is among those leaked. People who are concerned about the security of their account are advised to go ahead and change their password.

I already have Google two-factor authentication (2FA) enabled and recommend you same to do this for Google and other accounts. Many web services, including Gmail, Facebook, Twitter, Dropbox, Github and AWS, offer 2FA option, a security measure where users are required to provide a passcode sent to their mobile devices before any changes can be made to their account. This would prevent an attacker from logging in without access to a user’s smartphone.