Gmail and Yahoo Mail 2FA thwarted by Iranian phishers

SMS 2FA used by Google and Yahoo by-passed

 

A phishing gang in Iran has managed to bypass the two Factor Authentication (2FA) that Gmail and Yahoo Mail users use to secure their accounts.

2FA helps users to protect their accounts by adding an extra layer of security. Using your username and password and then something extra like a single use password which is delivered via an SMS message.

In this case the gang were able to get the user to go to a fake website that looked exactly like the users Gmail or Yahoo Mail login page. Once the user had entered in their details to the fake site the gang then took those details and entered them in to the real site and then the fake site asked for the code which had just been sent to their mobile phone. Once they entered this in to the site the gang were able to take the code and enter it in to the real site and gain access to the users email accounts.

The attackers, working on behalf of the Iranian government, sent out emails targeting US Government officials, activists and journalists, specifically those involved in the US sanctions against Iran. First they found as much information about each victim and then crafted specially targeted emails at each of them. The emails had a secret hidden picture in them which notified the gang in real-time when the user was viewing the email so they could carry out the attack while the user was trying to login.

The attack was notable for other reasons also it used email addresses such as notifications.mailservices@gmail.com and noreply.customermails@gmail.com to make it look like they were official emails from Google.

We would urge all users of any service to ensure that they check very carefully the links in emails and if possible not to use links in emails at all. Keep yourself up-to-date with security issues by opening an account and signing up for our Security Alerts, Newsletters and Promotional emails.

Keep Safe

CritchCorp Computers Ltd

Why do Yahoo give your eMail account to cybercriminals, no questions asked?

YahooMail, which has now merged with AOL to form OATH, part of Verizon, can allow others, including and most likely, cyber criminals who are out to hack your digital life, to permanently have your yahoo email address; and there is nothing you can do about it. Except get off their service as quickly as possible or don’t start to use them in the first place

Even though Yahoo has now been merged they have kept the terms and conditions, which some on the internet have called a privacy nightmare, largely the same.

The first part is the same as all other FREE email and social media companies, and that is that everything you put, send or receive belongs to you, BUT, you grant them a sublicense to do with your data whatever they please.

The second part is more worrying and that is the fact that, if, for any reason, your account is terminated; including because you didn’t have enough activity on it for a given length of time, which remains unspecified in the terms and conditions, so as they determine it, then they can and will make your username (email address) available for anyone else to register. Read More

About Mat Honan’s Epic Hacking

I am sure that you have all heard about Mat Honan’s very bad weekend by now, But just in-case you have not, here is an overview of what happened. There is a very good podcast that you can listen to if you want the full story or read the transcripts: http://www.grc.com/sn/sn-364.txt or you can read Mat’s story : http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

If you regularly keep up-to-date with security news then you will have heard all about this story. This is intended for those who do not keep up with the news or find it too complicated or technical to follow, or just don’t have time to keep up to date with this stuff. As this is an important story, I have written this brief article about here.

Firstly, who is Mat Honan? He is reporter for Wired magazine and former senior reporter for Gizmodo. He knows a thing or two about technology.

This is a brief sumary about what happened to him a couple of weeks ago. Just so you can be aware and not make the same mistakes as he did. He thought he was safe because he used secure long gibberish passwords, but that did not help him in this case.

In the space of one hour Mat’s entire digital life was destroyed. Here is the order of things that were done:

  1. Google account taken over, then deleted
  2. Twitter account taken over
  3. Apple ID taken over and remotely erased his iPhone, iPad and MacBook

Here is how they did it and what you need to watch out for.

The hackers were only after his Twitter account as he has a nice handle (@mat). To get to this they destroyed his digital life. Firstly, they noticed that his Twitter account was connected to his personal website. On his personal website they found his GMail.com address. Using Google Mails account recovery they discovered that he had a @me.com address, which he used as the backup to receive password resets to.They also had his name and address, which they obtained form his website but could be obtained in a number of ways. Lets face it every time you order pizza you give your name and address, you probably chuck out lots of junk mail with your name and address on it. There are also numerous ways on line to get that information. So, with this information they phoned, yes phoned Amazon. Claiming to be Mat they said that they wanted to add a credit card to their account. With the Name and billing address they were able to do this and using a credit card number made up by a website devoted to generating numbers that conform to the algorithms used they added a card to his account. They then hung up and phoned back and said that they could not get in to their account (Mat’s account). They were then asked for their name, billing address and a credit card on file. Using the credit card they had just added they were then able to add a new email address to the account. They then went to the Amazon website and preformed a password reset to the new email address that they had just added.

They can now see all the credit cards that had been previously added to the account, including the real card that Mat uses. Granted it is only the last four digits of the card as that is what Amazon considers safe to show you (as do a lot of other companies). They now called Apple Care and said that they had lost access to their (Mat’s) @me.com account. Apple kindly helped this fake Mat to recover his password using a temporary password which they issue over the phone which you can then use to access the account and to change the password to the account. This was issued despite the fact that the hackers could not answer any of the security questions on file!! In the end all they needed was his name address and yes, you guessed it the last four digits of a credit card on file.

Once they had hacked in to his @me.com account they could send a password reset from his Twitter account which went to his @me.com address and they quickly reset his twitter account password. This was there intended goal as they could now tweet in his name and upset his followers, just for the fun of it!

Here is the horrible bit: In order to stop Mat from regaining control over his account, they did the following. Deleted his GMail account. Preformed a wipe on his iPhone, iPad and MacBook, thus deleting his entire and only copies of his daughters first year and a half pictures and pictures of relative who are no longer in this word. It was not the intention of the hackers to delete these things but just collateral damage to the main goal, his Twitter account.

You need to be aware of where your accounts lead to and what information you leak out on them. Information these days is very easy to get to because people do not protect it well enough.

Amazon has since confirmed that it will no longer accept information over the phone in this way. Apple has not confirmed yet that it has closed these obvious loop holes, however it did make immediate temporary message and stopped issuing temporary password over the phone, we are still waiting to see what their permanent fix will be.

It is important to note that the companies followed their procedures and the procedures let the customer down. We make it easy from a customer service point of view and that lets the bad guys get in too. It is a shame that we need to have any security at all, it would be nice if we could just have username and no need for a password, but we need passwords and we need to make sure that they are secure and the problem that most companies face is keeping the customer happy, wand secure and that is a tall order as most of the time convenience is the enemy of security. The easiest way to thin of it is a sliding scale with security on one side and convenience on the other. The more convenient we make it the less secure we make it.

Keep your personal data private and do not exposes it unnecessarily. As I have always said, best to have your own domain name and email address and not to use a free generic one for any of your key services, one that you can maintain complete control of and cannot be taken over in anyway by use of social engineering attacks, such as this one. Don’t get me wrong, there are uses for the free accounts but not as your main email address and not as password recovery addresses as these free accounts are constantly hacked in to by this and other methods. They are far too liable to this kind of attack.

 

CritchCorp.