Hackers Bypass Google’s Two-Factor Authentication By Taking Social Engineering To A New level
You may have read reports of Gmail accounts being hacked despite the user having enabled the famed Google 2FA or two-factor authentication. This is because hackers are employing a new strategy to lure gullible users to hand over the 2FA code.
Some people can be tricked into disclosing their two-factor authentication code to criminals, as there is a new sly trick that makes them think that are in fact protecting their accounts while doing so.
Two-factor authentication (referred 2FA) is an important safety measure current mainstream of online services, from banks to Google, Facebook, and government agencies who have gradually adopted the security measures. In the two-factor authentication to protect the account needs to log operation when you need to enter a verification code to send SMS text messages, or even enter the correct password will be blocked by the system.
The login is classified as a hacking attempt, if the user doesn’t enter the code quickly, and the user is blocked from accessing the account, even if they entered the correct password.
Alex MacCaw, co-founder of Clearbit.com, tweeted out the image of an SMS he had just received on his Twitter. Anonymous attacker sent a phase MacCaw posing Google’s SMS messaging, message reads as follows:
Be warned, there's a nasty Google 2 factor auth attack going around. pic.twitter.com/c9b9Fxc0ZC
— Alex MacCaw (@maccaw) June 4, 2016
“(Google™ Notification) We recently noticed a suspicious sign-in attempt to email@example.com from IP address 18.104.22.168 (Vacaville, CA). If you did not sign-in from this location and would like to lock your account temporarily, please reply to this alert with the 6-digit verification code you will receive momentarily. If you did authorize this sign-in attempt, please ignore this alert.”
Mainly, the attackers were mentally preparing the victim to receive the 2FA verification code, in order to facilitate the following illegal login attempt they were about to perform. The criminals were going to access MacCaw’s account, and when his 2FA system would commence, MacCaw would act to lock his account by sending the “verification code to Google.” In fact, MacCaw would be sending the 2FA code to the criminal, who would then enter it in the login page and access his account, with his help.
Thankfully, MacCaw was able to detect their strategies and didn’t fall for this new type of social engineering hoax. However, if you are a Gmail user, you should take precautions and not fall for these new tricks being used by hackers to gain access into your Gmail and Google accounts.