Hackers Bypass Gmail, Yahoo 2FA at Scale

A new Amnesty International report explains how cyberattackers are phishing second-factor authentication codes sent via SMS.

Amnesty International this week released a report detailing how hackers can automatically bypass multifactor authentication (MFA) when the second factor is a text message, and theyre using this tactic to break into Gmail and Yahoo accounts at scale.
MFA is generally recommended; however, its security varies depending on the chosen factor. Consumers prefer second-factor codes sent via text messages because theyre easy to access. Unfortunately for some, cybercriminals like them for the same reason.
Amnesty discovered several credential phishing campaigns, likely run by the same attacker, targeting hundreds of individuals across the Middle East and North Africa. One campaign went after Tutanota and ProtonMail accounts; another hit hundreds of Google and Yahoo users. The latter was a targeted phishing campaign designed to steal text-based second-factor codes.
Throughout 2017 and 2018, human rights defenders (HRDs) and journalists from the Middle East and North Africa shared suspicious emails with Amnesty, which reports most of this campaigns targets seem to come from the United Arab Emirates, Yemen, Egypt, and Palestine.
Most targets initially receive a fake security alert warning them of potential account compromise and instructing them to change their password. Its a simple scheme but effective with HRDs, who have to be on constant high alert for physical and digital security.
From there, targets are sent to a convincing but fake Google or Yahoo site to enter their credentials; then they are redirected to a page where they learn theyve been sent a two-step verification code. Entering the code presents them with a password reset form. Most people wouldnt question a password change prompt from Google as it seems legitimate.
Attackers automate the full process: getting victims to log into their email accounts, obtaining the two-factor code, and prompting them to change their passwords.
Its worth noting text-based authentication is mostly unsafe for high-risk people because attackers have to pick a specific target. For corporate leaders and other folks holding sensitive data, its worth exploring stronger methods of MFA, such as physical security keys.
Read more details
here
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Hackers Bypass Gmail, Yahoo 2FA at Scale