Amnesty International reported on two phishing attacks it recently endured, possibly carried out by the same attacker (or attackers), on human rights defenders (HRD) like itself, and also journalists, particularly in the Middle East and North Africa.
“What makes these campaigns especially troubling is the lengths to which they go to subvert the digital security strategies of their targets,” stated Amnesty International, which found attackers easily circumvented some 2FA forms to steal credentials, and obtain and maintain access to victims’ accounts.
Tripwire first picked up on the Amnesty International report, which noted attackers have stepped up their game in pretending to be legitimate by erecting websites that are difficult to distinguish from the real ones after alerting the target his or her Google account had been compromised.
In one scenario Amnesty International found victims being tricked into providing passwords, thinking they were being asked to do so for their own protection. Attackers then surreptitiously incorporate into the scheme a legitimate Google page that provides a real SMS code.
In 2017 and 2018 the phishing attacks on Google and Yahoo user accounts in the United Arab Emirates, Yemen, Egypt and Palestine, Amnesty International also tracked those using Tutanota and ProtonMail, both systems happen to be popular with human rights activists.
The mere inclusion of an “e” in the URL of a ProtonMail phishing website at protonemail.ch is all that distinguishes from the real protonmail.ch website.
Tripwire researcher Craig Young suggested a rethinking of authentication schemes that moves away from One-Time Passwords and towards a Universal 2nd Factor token connected via USB or near-field communication. “2FA is not keeping you safe from phishing in any meaningful way,” Young wrote, noting in regard to password compromise alone 2FA does mitigate risks.
In any case, given HRDs’ reliance on and ability to fundraise via email, the ramifications of the potential for 2FA compromise are substantial.