A new report published by non-profit Amnesty International details how threat actors are able to bypass 2FA (Two-Factor Authentication) that leverages a text (SMS) message as the second authentication factor.
The process is automated and the 2FA can be cracked within seconds.
Typically in a 2FA, when you open an account, you give the service – Google, Twitter, etc. – your mobile phone number. When you later login with your password, the service sends you a text (SMS) message, which you are prompted to enter. This serves as the second form of authentication.
Amnesty International reported widespread phishing of Google and Yahoo! mail accounts in the Middle East and North Africa throughout 2017 and 2018.
The attackers sent to the victims fake alarms, informing them that their account has been compromised, and asking them to urgently change their password. The phishing e-mail included a link that redirected victims to a well-crafted Google or Yahoo! Mail phishing web site. After the users entered their password, they were prompted to enter the code that was sent to them via SMS.
Read more about it here.