Andrea Danti - Fotolia

Gmail phishing campaign uses real-time techniques to bypass 2FA

Researchers saw a Gmail phishing campaign in the wild using clever tricks to access accounts including a difficult 2FA bypass only possible in real time.

A highly effective new Gmail phishing campaign has been gaining popularity and can even bypass two-factor authentication in limited real-time scenarios.

The Gmail phishing scheme takes advantage of a few methods to gain access to a user account, starting with an email that appears to contain a PDF that can be previewed within Gmail. However, the PDF redirects to an address designed to fool Google Chrome's malicious URL formatting in order to present the user with what appears to be a normal Google login screen.

Mark Maunder, CEO and founder of WordPress security firm Wordfence, said the trick behind this Gmail phishing scheme is that users see the string "," indicating a legitimate address, but will not see a green "HTTP" or a red "HTTPS" to indicate the safety of the link.

"They see ordinary black text. That is why this attack is so effective. In user interface design and in human perception, elements that are connected by uniform visual properties are perceived as being more related than elements that are not connected," Maunder wrote in a blog post. "In this case the 'data:text/html' and the trusted hostname are the same color. That suggests to our perception that they're related and the 'data:text/html' part either doesn't matter or can be trusted."

A commenter on GitHub claimed a Google representative last year had advocated better URL literacy to combat phishing, but Maunder suggested Google needed to do more -- like changing the color of the data:text/html string in order to bring more attention to potential malicious activity.

A Google spokesperson said the company is aware of this issue and will "continue to strengthen our defenses against it."

"We help protect users from phishing attacks in a variety of ways, including: machine learning-based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more," Google said in a statement. "Users can also activate two-step verification for additional account protection."

However, Rick Holland, vice president of strategy at Digital Shadows, said including URL formatting in phishing education in enterprise would be only a "marginal benefit" to IT professionals.

"IT pros should have very low expectations when it comes to relying upon their users to identify malicious URLs based upon their formatting," Holland told SearchSecurity. "This is further complicated by the trend of relying upon email gateways or SaaS offerings to rewrite external URLs to an internal URL that forces the link to be inspected at click time. These rewritten URLs will be seen as suspiciously formatted by many users. If not communicated properly, this will only increase the confusion around URL formatting."

Maunder said the Gmail phishing campaign was difficult to spot even beyond the URL formatting because the malicious website to which victims are directed looks exactly like a Google sign-in page and uses the victim's input in real time to log in.

"The attackers signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised. Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot," Maunder wrote. "Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more."

Potential 2FA bypass

There have been limited reports of this type of Gmail phishing attack including a two-factor authentication (2FA) code input in the real-time credential stealing, but Maunder wasn't able to confirm this to be true.

Robert Capps, vice president of business development at NuData Security, a behavioral biometrics company based in Vancouver, B.C., confirmed that "multifactor challenges have historically been attacked by real-time phishing schemes."

"In such schemes, the data submitted to the phishing site is immediately used in an attempt to access the user account," Capps told SearchSecurity. "If successful, the account could be mined for additional personal information on the user, or deposited funds removed. More to the point, consistent roll out of MFA challenges have driven fraudsters to develop other methods to maintain customer account access regardless of which challenge methods are in place."

Richard Henderson, global security strategist at Absolute Software, agreed that such 2FA bypass wouldn't be unique, even if it is rare.

"It does require a significant investment on the attacker's side to be able to take advantage of the incredibly small window of opportunity to get into an account before the [time-based one-time password] code expires," Henderson told SearchSecurity. "Thankfully this isn't all that common -- although if attackers do manage to gain significant profit, they will adjust and adapt."

Henderson added: "2FA solutions, by their very nature, are intended to be an additional authentication burden, but it's up to us to drill home to users that the burden of inserting a hardware key, opening up a smartphone app, or other 2FA solutions are worth the additional work, especially among the most privileged of accounts."

Jerome Segura, lead malware intelligence analyst at Malwarebytes, the internet security company based in Santa Clara, Calif., agreed that 2FA was still the best way to prevent attacks like this Gmail phishing scheme.

"There is no silver bullet, but 2FA combined with a password manager ensures that credentials are only entered for trusted websites," Segura told SearchSecurity. "SMS 2FA -- and even changing passwords too frequently -- [has] been criticized lately, but the bulk of phishing victims are typically reusing the same weak passwords across multiple sites and do not have any additional authentication measure."

Holland said the infosec community needs to end the practice of "victim blaming" when it comes to phishing attacks.

"We still have far to go when it comes to minimizing the burden to users when it comes to 2FA. I do feel that we must stop victim blaming when users' email addresses are compromised or when users click on emails. We have setup a  complex environment to do their jobs in. They must have 2FA; they must be vigilant and lookout for suspiciously formatted emails," Holland said. "Instead of victim blaming, organizations should hold the security vendors that protect against phishing accountable. When it comes to specific ways to be more transparent and reduce the burden to users, adaptive authentication that uses geolocation as an authentication factor is a good route to go."

Next Steps

Learn more about a phishing campaign taking ransomware attacks to a global scale.

Find out why multifactor authentication may not be a cure-all.

Get info on how HMRC is planning to block 500 million phishing emails per year. 

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing