Domain Spoofing Offers a Way to Bypass 2FA

Amnesty International published a report providing insight into multiple phishing campaigns targeting Human Rights Defenders (HRDs) in the Middle East and North Africa. The campaigns focus on Google and Yahoo accounts, and attempt to override two-factor authentication (2FA), also known as multi-factor authentication (MFA). One campaign, dating back to 2017, appeared as a “security alert” email that lured victims to malicious domains masquerading as Google or Yahoo. Once on the site, users entered their credentials and 2FA code. This information was sent to the threat actor just in time to compromise the account before the access code expired. A second campaign targeted email services touting security, like Tutanota and ProtonMail. In this case, threat actors registered domains that were almost identical to legitimate ones, and included a padlock symbol for transport encryption. These sites stole user account credentials while separately logging the user into the legitimate mail service domain. Phishing continues to be a major threat to organizations at all levels and, therefore, the NJCCIC highly recommends never using links provided in unsolicited emails to visit websites requiring the input of account credentials. Instead, we advise visiting the account’s associated website by typing the legitimate address directly into the URL field of your web browser. Despite the tactics used in these campaigns, we highly recommend enabling MFA on all accounts that offer it for extra security. For more information and a list of indicators, review the Amnesty International report.

AlertNJCCICCampaign, email