Hackers are using social engineering attacks to bypass the two-step verification (2SV) feature protecting people’s web accounts.
On June 4th, Alex MacCaw, co-founder of data API company Clearbit, sent out the following tweet along with the screenshot of a text message attackers sent to his phone:
Be warned, there's a nasty Google 2 factor auth attack going around. pic.twitter.com/c9b9Fxc0ZC
— Alex MacCaw (@maccaw) June 4, 2016
The text message reads:
“(Google™ Notification) We recently noticed a suspicious sign-in attempt to email@example.com from IP address 220.127.116.11 (Vacaville, CA). If you did not sign-in from this location and would like to lock your account temporarily, please reply to this alert with the 6-digit verification code you will receive momentarily. If you did authorize this sign-in attempt, please ignore this alert.”
Attackers can use social engineering text messages such as these to bypass 2-step verification, an option which protects a web account with an additional layer of security by sending a one-time verification code to a user’s phone after they attempt to sign in with their username and password.
For this type of attack to work, a bad actor first needs to obtain access to a target individual’s login credentials and their mobile phone number. They can usually obtain this information by sifting through various data dumps posted online.
Pretending to be a representative of a legitimate company, such as Google, Apple, or Facebook, the attacker(s) will then contact the target via text message, warn the user they’ve detected “suspicious activity” on their account, and ask the individual to confirm a 2SV code sent to their mobile phone to prevent their account from being locked.
A successful attack will trick the target into handing over the verification code, which allows the bad actor(s) to gain access to the user’s account.
To protect against social engineering attacks such as these, people should use strong, unique passwords with each of their web accounts and enable 2SV when the option to do so is available. They should also never give out their 2SV verification codes to anyone.