
Be warned, there's a nasty Google 2 factor auth attack going around - maccman
https://twitter.com/maccaw/status/739232334541524992
======
ams6110
So the scam is, attacker knows your gmail address and your phone number. They
send you the text message about suspicous activity on your account. Then they
attempt to reset the password on your gmail account. That triggers Google to
send you the code. You reply to the attacker's message with the code as
instructed, and they own your account.

~~~
stephengillie
Again, this is a social engineering attack. 2-factor remains mathematically
secure.

~~~
fragsworth
It doesn't sound like "2-factor" if all they need is the single code on your
phone.

~~~
etherealmachine
Account recovery is always a nagging weak spot. At some point, a user will
forgot their password or lose their TFA device, and now you need them to be
able to prove their identity outside of the usual flow. And if you have enough
users, this has to be automated, leaving even more room for exploitation.

~~~
Alex3917
> And if you have enough users, this has to be automated

Not really, they could just charge people $100 to retrieve a lost password and
then do it manually.

~~~
ocdtrekkie
Charging $100 is pretty punitive, but I've often wondered why more online
services sensitive to attack don't use token credit card charges as a way to
limit account duplication, increase complexity in a malicious operation, etc.

Stealing credit cards is cheap, yes, but the additional cost to using such a
card on a password reset would still be a deterrent.

~~~
Alex3917
> Charging $100 is pretty punitive

Not really, considering there is zero reason for anyone to ever lose a
password assuming they are using a password manager. You could even make it
free for the first few hours after the account is created or the password is
changed in case the user pastes it into their password manager incorrectly.

~~~
copperx
And how many "normal" people do you know that use a password manager? It's 0
for me. They don't even use post-it notes, which would be an improvement over
"I'll just try to remember the password, and if I can't, I'll ask someone to
help me ".

~~~
lgas
Assuming the "someone" is the forgot password feature and not a person, this
seems like a sound approach. It's basically using the site itself as a
slightly clunky password manager.

------
JohnTHaller
This isn't a 2 factor attack. It's a social engineering Google account
password reset attack. The attacking party is resetting your Google password
and asking you to provide the code Google sends your registered mobile number
via text to them.

~~~
kjaftaedi
It is a 2 factor attack in the sense that it reduces the two factors down to
one.

~~~
sievebrain
2 factor auth is _not_ a defence against phishing. This is such a common
misconception. All two-factor means is that someone with _only_ your password
cannot log in, or _only_ your device.

What's happening here is that Google accounts _without_ 2-factor but _with_ a
phone recovery path set up are being "account recovered" by a bad guy. It's
just plain old phishing.

------
azinman2
I wonder if this is at all related to a phishing attempt that just got my mom
and all her friends. It came in as a "docusign" email that looked reasonably
legit (to an ordinary person) that just had one button to sign and review a
document. Apparently they asked for email, email password, and phone number. I
was surprised to learn about the phone number bit and how they'd use it.
Something like this is probably how.

While I'd have thought entering your email password would have been red flag
galore, my mom and her friends were all exploited by the social trust aspect
"I figured if it was coming from you it would be real."

~~~
Sephr
> "I figured if it was coming from you it would be real."

You should set up a strict DMARC policy (p=reject) to prevent people from
spoofing your email address. It appears that you have not[1].

Additionally, you should harden your SPF record: change ~all to -all.

[1]: [https://dmarcian.com/record-
tools/azinman.com](https://dmarcian.com/record-tools/azinman.com)

~~~
azinman2
It's not a spoof when you're phished and hand over your credentials.

It also was my mom that was phished, not me.

~~~
Sephr
Sorry, I don't think you understand.

I'm saying that people cannot send emails to your mother pretending to be you
if you were to implement the changes I have suggested.

I didn't say you were phished, I said you were spoofed. Judging by your first
comment, your email address being spoofed is how your mother was phished.

~~~
azinman2
I do understand :) Perhaps my first comment was not clear. She never received
anything from me. I'm not involved at all. It was her friend that got
originally phished, which then sent a legitimate email (from an SPF record
perspective) to her, which then phished her credentials, and so forth.

------
yborg
Clever. If you've never actually had 2FA trigger before to know how it works,
you could fall for this.

------
tjohns
This is one of nice things about using a hardware security key (FIDO U2F),
like Yubikey.

Since the security key works with the browser to ensure its communicating
directly with a specific site, you can't MITM them like you can mobile app
(TOTP) or SMS-based two-factor codes.

I wish more browsers would add support for them.

------
libeclipse
This "attack" could be semi-mitigated by using Authy or Google Authenticator
instead of SMS. If users knew to never ever paste the generated codes anywhere
but the site, this attack wouldn't exist at all.

------
tehwebguy
A friend is currently receiving spear phishing attempts via text. Claims their
lost iPhone has been found and that they need to log into icloud10 . com

------
koolba
While you're add it, verify that your password has not been hacked by entering
it here: hxxp://evil.example.com/password-checker

~~~
ikeboy
hunter2

------
fragsworth
How can this possibly work?

Even if an attacker gets the phone code, they should still need your password
to sign in. How do they get past that?

~~~
kinofcain
As ams6110 noted, it's likely not a 2-factor auth attack but rather a password
reset attack.

------
jschwartzi
I guess I'm going to go set all my security question answers to random 64-byte
strings that are base-64 encoded.

~~~
chris_wot
Don't forget to apply a ROT-13 encoding afterwards, that should make it super
secure.

~~~
technofiend
I'm _doubly_ secure with ROT-13 applied twice! ROT-26 (Patent Pending). Don't
leave home without it.

~~~
chris_wot
The nice thing about applying ROT-13 twice is that it greatly reduces decoding
time.

