Phishing SMS 2FA codes – How hackers bypass two-factor authentication

Phishing is one of the most common and number one threats affecting civil organisations around the world; in fact, 90% of data breach attacks start with a phishing attack.

Today, mobile internet traffic comprises over 60% of the total internet traffic and it’s no surprise that hackers have turned their attention to high-value mobile users and the sites they use.

According to research by Wandera, over 48% of phishing attacks are happening on mobile devices, and cellphone users are 3 times more vulnerable to phishing attacks than desktop users.

These days, hacking an email account is not as easy as phishing with just a username and password. To succeed, the attacker must also bypass another layer of a security feature called two-factor authentication (2FA).

It’s always a good practice to enable 2FA on all of your email accounts, wherever it is possible, but don’t be misled into believing that once it is enabled, you are safe or hack-proof.

If you do not have a proper understanding of how real phishing attacks work, you are always at risk.

Types of Two-Factor Authentication

Email service providers like Google, provide 3 forms of 2FA:

  1. Authentication token: This is the most common form of 2FA; the user has to enter the authentication token or code in the login form that is sent to his registered mobile number via SMS or a dedicated authentication app such as Authenticator.
  2. Software push notification: In this form of 2FA, the user receives a notification on the phone through an app that alerts the user that a login attempt is being made on a separate app or the web page and the user can approve it or block it.
  3. USB hardware security Keys: In this form of two-factor authentication, the user has to physically insert a special USB key into the computer in order to log-in.

The first one on the list, i.e., “authentication token,” is most susceptible to phishing attacks, even among the most widely used and trusted services like Gmail and can be easily bypassed when the attacker is sophisticated enough.

Phishing SMS 2FA codes

Phishing 2FA codes

The attack begins when the phishing URL is distributed to target users using different ways to divert the target to a fake login page for the desired service (in our case, Google).

The most popular way of sending embarrassing or sensitive content, such as messages suggesting someone’s photos have been revealed somewhere online,.

If the target is of high value, the hacker generally creates an online persona of the person to whom the victim is familiar in order to gain their trust and later use more sophisticated phishing emails that appear to be “invites” to edit documents on Google Drive or participate in Google Hangout calls.

The below illustration explains exactly how the 2FA token/code can be stolen, along with the username and password. The left part, depicted in blue, illustrates the target user’s actions on the fake login page and the right part, depicted in grey, shows how the hacker is able to phish both login credentials as well as the SMS 2FA code.

As you can see above, the target opens the unknown link in the web browser, which looks identical to that of Google’s login page.

He then enters his login credentials along with the 2FA code that he received on his registered mobile number upon entering valid login details. However, little did he know that he had been interacting with a highly deceptive fake Google login page.

Behind the scenes, the hacker captures the victim’s login information from the fake login page while simultaneously entering it into the real Google login page.

This automatically triggers Google’s real 2FA protection and an SMS containing 2FA codes sent to the target user’s registered mobile number. As this is genuinely from Google, there will be no cause for suspicion by the target, who then enters this genuine 2FA code into the fake page, which is captured by the hacker.

Now, the hacker is left with a 30-second window to enter this 2FA code into the real login page of Google before it is replaced by a new code. i.e., the attacker must carry out this hack in real-time.

However the hackers are smart enough to use automation tools like Selenium that automate the login tasks without requiring any interventions by the hacker itself, thus successfully bypassing two-factor authentication.

The hacking process doesn’t stop here.

If somehow the target smells the hacking attack or, at some point, realizes he’s been hacked, he will immediately change his login credentials and block the access road for the hacker.

To prevent this, the hacker sets up a third-party app password that allows persistent access to the victim’s account, which doesn’t require any additional two-factor authentication when accessing it.

The message here is that it is clear that attackers can easily defeat token-based two-factor authentication to obtain and maintain access to their victim’s accounts.

And at some point, as multi-factor authentication mechanisms become more common, phishing will become more complex and more evident.

Related posts:

  1. Security Risks in Multi-Factor Authentication
  2. Multi-Factor Authentication Explained and Why It’s a Must-Have
  3. List of Best Hacking Sites and Forums
  4. How to Hack Facebook Account – 7 Easy Ways
  5. How to hack Gmail Account
  6. How to Hack WiFi password

Ashwin S

A cybersecurity enthusiast at heart with a passion for all things tech. Yet his creativity extends beyond the world of cybersecurity. With an innate love for design, he's always on the lookout for unique design concepts.