科技创新!
Hackers beat 2
Securing your online accounts with two-factor authentication can be an effective way to ward off hackers. But the system isn't perfect. One mysterious group has been defeating the protection method in attempts to phish upwards of 1,000 people, according to the human rights group Amnesty International.
The group today published a report documenting the phishing attacks, which have been targeting journalists and activists based in the Middle East and North Africa through the use of phony emails and login pages.
The goal behind the attacks has been to trick victims into handing over access to their Google and Yahoo accounts, even when two-factor authentication is in place. "What makes these campaigns especially troubling is the lengths to which they go to subvert the digital security strategies of their targets," Amnesty International said in its report.
For the uninitiated, two factor-authentication is a safeguard designed to protect your online account in the event your password is stolen. It works like this: when you try to access the account, you not only have to enter your login credentials, but also a special one-time passcode that's been generated over your phone.
Unfortunately, the special passcodes generated by two-factor authentication systems are usually just a string of a random numbers, which can make them easy to phish; all the hacker has to do is to trick you into giving up the special codes.
Amnesty International said the group of hackers they've been tracking pulls this off by sending out fake but convincing security alerts that look like they came from Google or Yahoo. The alerts will claim the victim's account may have been breached and provide a link to an official-looking login page to initiate a password reset.
"To most users a prompt from Google to change passwords would seem a legitimate reason to be contacted by the company, which in fact it is," Amnesty International said. But in reality, the login pages are fake.
The hackers created the phony process to both phish the victim's password and the special two-factor authentication code. Amnesty International has been investigating the scheme based on suspicious emails the group has been receiving from human rights activists and journalists. To test out the attacks, the group created a disposable Google account and then clicked through one of the phishing emails.
"Sure enough, our configured phone number did receive an SMS message containing a valid Google verification code," Amnesty said in its report.
The group also investigated how the hackers were creating their phishing schemes and noticed that the mysterious group accidentally made public an online directory they were using to host their attacks. The information revealed the hackers were using web application testing tools to automate the phishing process.
"Essentially, they built an 'auto-pilot' system that would launch Chrome and use it [to] automatically submit the login details phished from the user to the targeted service, including two-step verification codes sent for example via SMS," said Claudio Guarnieri, a technologist at Amnesty, in a tweet.
The hackers' automated process is important because it lets them input the special one-time passcode into the real Google or Yahoo login page, before the time limit on the passcode runs out.
Typically those concerned about getting 2FA codes via SMS can also do so via an authenticator app, which serves up codes that change every few seconds. Amnesty did not immediately respond to PCMag's request for comment about whether this affects such apps, but a technologist there told Motherboard that "the same approach could potentially be used to phish codes from a 2FA app such as Google Authenticator."
The human rights group still recommends people adopt two-factor authentication, but to be aware that the system does have limitations. So don't be fooled into thinking you're completely safe. For example, government-sponsored hackers have the resources to create elaborate phishing schemes to crack the safeguard. They can also attempt to infect your PC with malware.
"Individuals at risk, human rights defenders above all, are very often targets of phishing attacks and it is important that they are equipped with the right knowledge," Amnesty said.
If you have extra money to spend, you can also invest in a security key to protect your online accounts. They work by substituting the two-factor authentication process with a hardware-based device, which needs to be inserted into your PC to log into the protected account. The big plus of a security key is that it's pretty hard for a hacker to steal; to do so, the attacker has to personally come and physically take it from you.
You can learn more about how they work here. Unfortunately, one key can cost between $25 to $50. Not every online service supports them either. But you can use them to protect your accounts on Google, Facebook, Dropbox, and Twitter.
Featured Video For You
Vitaminwater is offering $100,000 to keep off your smartphone for a year
文章
682
浏览
42356
获赞
7
热门推荐
Snapchat removes Juneteenth filter that prompted users to smile to break chains
Snapchat apologized for its insensitive Juneteenth filter that asked users to smile to break chainsLyft rides will come with plastic partition between you and driver
You already have to wear a mask to ride in a Lyft or Uber. Now, additional Lyft vehicles will be covFBI warns of look
Someone is weaponizing your typos. With the U.S. presidential election fast approaching, people acroAmazon’s Echo Buds are overheating, so you should update them now
Amazon would like Echo Buds owners to avoid catastrophe.If you happen to own a pair of the wirelessHarry and Meghan share a new pic of baby Archie for Mother's Day
Baby feet: a great way to celebrate Mother's Day.The Duke and Duchess of Sussex posted a new photo oHow, and why, to create a Spotify blend playlist
The digital era has revolutionized how we flirt. Hitting on people now transcends the apps, in an inSamsung's Galaxy Watch 4 update adds sleep tracking
All eyes might be on Samsung’s next flagship smartphone, but the tech giant hasn’t forgoTesla Fremont plant sees spike in coronavirus 'exposure,' report says
When it comes to the coronavirus, Elon Musk's sustained incompetence long ago took a turn for the daInstagram's 'Hashtag Mindfulness' boom: The good, the bad, and the ugly
March Mindfulness is our new series that examines the explosive growth in mindfulness and meditationMicrosoft's Cortana is saying goodbye to Android and iOS in 2021
It's looking like curtains for Cortana, Microsoft's digital assistant. On mobile, at least.In an annHere's how to get free COVID tests delivered to your door right now
Can't find a COVID test anywhere in stores? Don't want to wait outside in an hours-long line just toCold water swimming: The ritual empowering people with prenatal depression
While many are familiar with postpartum depression, the depression faced by people who've become newTwoSeven review: Group streaming for all of your favorite services
The search for the perfect group streaming service for the age of social distancing isn't over, butCan you recycle sex toys? It depends.
Major sex toy companies have made numerous highly visible and vocal attempts to go greenover the lasGet the benefits of a personal trainer at
You: I always get the most out of my workouts and feel the best about my health when I work out with