Iranian Hacker Group Beats 2FA with New Phishing Campaign Targeting Google Users


A new phishing attack method shows that even the mighty two-factor authentication can be beaten without needing to possess a user’s mobile device.

We’d like to think that using Multi-Factor Authentication (MFA) surrounds the logon process with such a high level of security that it can’t be broken. But a recent phishing attack shows that simple mix of social engineering and quick backend hacking can successfully work around the most basic of MFA – two-factor, SMS one-time password (OTP) authentication.

Researchers at Certfa Labs recently identified the attack scheme created by the cybercriminal group Charming Kitten who was responsible for the hacking of HBO back in 2017). The phishing attack uses the Google’s Site Service (which uses the subdomain to establish credibility and to deceive their potential victims.

Users are initially phished with either fake notifications of unauthorized access, or via bogus file sharing on Google Drive. In either case, the focus is to have the victim thinking they need to interact with Google. Doing so makes the stretch to requiring authentication, and then requiring the second factor, pretty reasonable.

Pages made to look like both Google authentication, as well as emails designed to invoke the use of 2FA to validate the user (shown below) are used in a contextually timely fashion to trick users to believe they are interacting with Google’s 2FA.

The bad guys are getting better and craftier at their art every day. Attacks like these would fool even the savviest of users. What organizations need to fend off attacks like this is a security-minded user who is constantly on-guard – even when the systems they interact with seem legitimate.

Security Awareness Training would teach users about the potential red flags that exist even in this very slick campaign – The initial phish involves files on a Google Drive, or a notification of improper access. It’s at this point that users should be scrutinizing the emails, questioning their legitimacy. Did they request a file from the sender? Does the access notification from Google look completely legitimate? Having a default mindset of asking questions when anything out of the ordinary comes in is one of the byproducts of users who continually go through Security Awareness Training.


Find out if your organization's MFA solution
can be hacked by the bad guys now!

Did you know that all MFA mechanisms can be hacked, and in some cases it's as simple as sending a phishing email? That's why it's important to know the exact security risks your MFA solution has and how your users' accounts may be compromised.

masareport-thumbHere's how MASA works:

  • You will receive a custom link to take your assessment
  • Answer a series of technology questions relevant to your MFA solution
  • Get an instant high-level snapshot of potential risks with your MFA
  • Receive your in-depth report packed with actionable insight and detailed analysis on specific MFA attacks and tips for your top defenses 

Assess My MFA Solution Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews