Phishing SMS 2FA codes – How hackers bypass two-factor authentication

Phishing is one of the most common and number one threat affecting civil organisations around the world, in fact, 90% of data breach attacks starts with a phishing attack.

Today mobile internet traffic comprises over 60% of the total internet traffic and it’s no surprise that hackers have turned their attention to high-value mobile users and the sites they use.

According to research by wandera, over 48% of phishing attacks are happening on mobile devices, and cellphone users are 3 times more vulnerable to phishing attack than desktop users.

These days hacking an email account is not as easy as phishing just a username and password. To succeed, the attacker must also bypass another layer of a security feature called two-factor authentication (2FA).

It’s always a good practice to enable 2FA on all of your email accounts where ever it is possible, but don’t be misled into believing that once it is enabled, you are safe or hack-proof.

If you do not have a proper understanding of how real phishing attacks work, you are always at risk.

Types of Two-Factor Authentication

Email service providers like Google, provide 3 forms of 2FA:

  1. Authentication token: This is the most common form of 2FA, the user has to enter the authentication token or code in the login form that is sent to his registered mobile number via SMS or dedicated authentication app such as Authenticator.
  2. Software push notification: In this form of 2FA, the user receives a notification on the phone through an app which alerts the user that a login attempt is being made on a separate app or the web page and the user can approve it or block it.
  3. USB hardware security Keys: In this form of two-factor authentication, the user has to physically insert a special USB key into the computer in order to log-in.

The first one in the list i.e. “authentication token” is most susceptible to phishing attacks even among the most widely used and trusted services like Gmail and can be easily bypassed when the attacker is sophisticated enough.

Phishing SMS 2FA codes

Phishing 2FA codes

The attack begins when the phishing URL is distributed to target users using different ways to divert the target to a fake login page for the desired service (In our case Google).

The most popular way of being sending embarrassing or sensitive content, such as messages suggesting someone’s photos have been revealed somewhere online.

If the target is of high value, the hacker generally creates an online persona of the person to whom the victim is familiar with, in order to gain their trust and later use more sophisticated phishing emails that appear to be “invites” to edit documents on Google Drive or participating in Google Hangout calls.

The below illustration explains exactly how the 2FA token/code can be stolen along with username and password. The left part, depicted in blue, illustrates the target users actions on the fake login page and the right part, depicted in grey, shows how the hacker is able to phish both login credentials and as well as SMS 2FA code.

As you can see above, the target opens the unknown link in the web browser which looks identical to that of Google’s login page.

He then enters his login credentials along with 2FA code that he received on his registered mobile number upon entering valid login details. However little did he know that he has been interacting with a highly deceptive fake login page of Google.

Behind the scenes, the hacker captures the victim’s login information from the fake login page whilst simultaneously entering it into the real Google login page.

This automatically triggers Google’s real 2FA protection and an SMS containing 2FA codes sent to the target users registered mobile number. As this is genuinely from Google, there will be no cause for suspicion by the target who then enters this genuine 2FA code into the fake page which is captured by the hacker.

Now, the hacker is left with a 30-second window to enter this 2FA code into the real login page of Google before it is replaced by a new code. i.e the attacker must carry out this hack in real-time.

However the hackers are smart enough to use automation tools like selenium, that automates the login tasks without requiring any interventions by the hacker itself, thus successfully bypassing the two-factor authentication.

The hacking process doesn’t stop here.

If somehow the target smells the hacking attack or at some point realizes he’d been hacked, he will immediately change his login credentials and block the access road for the hacker.

To prevent this, the hacker sets up a third-party app password that allows persistent access to the victim’s account, which doesn’t require any additional two-factor authentication when accessing it.

The message here is that it is clear that attackers can easily defeat token-based two-factor authentication to obtain and maintain access to their victim’s accounts.

And at some point, as multi-factor authentication mechanism becomes more common, phishing will become more complex and more evident.

Illustration by: Wandera.com

Related posts:

  1. List of best hacking sites
  2. How to hack Gmail
  3. Hack WiFi password

Ashwin S

A cybersecurity enthusiast at heart with a passion for all things tech. Yet his creativity extends beyond the world of cybersecurity. With an innate love for design, he's always on the lookout for unique design concepts.