Iranian Phishing

CitizenLab is reporting on Iranian hacking attempts against activists, which include a real-time man-in-the-middle attack against Google's two-factor authentication.

This report describes an elaborate phishing campaign against targets in Iran's diaspora, and at least one Western activist. The ongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely heavily on phone-call based phishing and "real time" login attempts by the attackers. Most of the attacks begin with a phone call from a UK phone number, with attackers speaking in either English or Farsi.

The attacks point to extensive knowledge of the targets' activities, and share infrastructure and tactics with campaigns previously linked to Iranian threat actors. We have documented a growing number of these attacks, and have received reports that we cannot confirm of targets and victims of highly similar attacks, including in Iran. The report includes extra detail to help potential targets recognize similar attacks. The report closes with some security suggestions, highlighting the importance of two-factor authentication.

The report quotes my previous writing on the vulnerabilities of two-factor authentication:

As researchers have observed for at least a decade, a range of attacks are available against 2FA. Bruce Schneier anticipated in 2005, for example, that attackers would develop real time attacks using both man-in-the-middle attacks, and attacks against devices. The"real time" phishing against 2FA that Schneier anticipated were reported at least 9 years ago.

Today, researchers regularly point out the rise of "real-time" 2FA phishing, much of it in the context of online fraud. A 2013 academic article provides a systematic overview of several of these vectors. These attacks can take the form of theft of 2FA credentials from devices (e.g. "Man in the Browser" attacks), or by using 2FA login pages. Some of the malware-based campaigns that target 2FA have been tracked for several years, are highly involved, and involve convincing targets to install separate Android apps to capture one-time passwords. Another category of these attacks works by exploiting phone number changes, SIM card registrations, and badly protected voicemail

Boing Boing article. Hacker News thread.

Posted on August 27, 2015 at 12:36 PM • 16 Comments


AnuraAugust 27, 2015 12:59 PM

First thing people need to realize is that the only thing 2FA does is make it harder for people to log in as you by guessing your password or getting it from a data dump. It does absolutely nothing if you have a virus on your machine, or they perform a man-in-the-middle attack (either through no certificate, a forged certificate, or by sending you to the wrong page) as they just forward the credentials from you without your knowledge.

So most attacks aren't really attacking 2FA, as these are not things that 2FA are designed to protect against.

JamieAugust 27, 2015 2:48 PM

True out-of-band 2FA (e.g. a mobile device showing time-based codes like Google Authenticator) should adequately prevent future compromise of an account, even against a keylogger on the PC being used to log in. You're correct that a true MITM attack with forwarding could potentially compromise such an out-of-band 2FA, but if the PC and server are using strongly configured TLS, then only an installed SuperFish-style intermediate certificate on the PC would allow a MITM attack on that connection.

Taken all together, it's very difficult to compromise 2FA, and requires specific targeting of a single person. Now, if you are the target of a nation-state level threat actor, then yes, you should be worrried. If you're just trying to protect access to your savings account, not so much.

AnuraAugust 27, 2015 3:02 PM


None of the attacks mentioned can be mitigated by any type of 2FA. If your browser is compromised (Man in the Browser Attack), there is literally nothing you can do, as once you authenticate the attacker can impersonate a browser tab without your knowledge. For a Man-In-The-Middle, whether through phishing or forged certificates (or stripping HTTPS from links and hoping the user doesn't notice), they simply can forward the authentication to the server, and no amount of 2FA voodoo is going to get around that; you have to prevent the MITM through other means, which is a difficult problem.

AnuraAugust 27, 2015 3:35 PM

Actually, there is one thing that can be done to mitigate the above mentioned attacks, now that I think about it: every single action you do would have to be authenticated via a separate channel. That way, while an attacker could still see everything you do, they cannot do anything without your approval. Then you would have to attack both the interface and the authentication channel separately to be successful.

Jonathan WilsonAugust 27, 2015 4:10 PM

One great security idea I have seen for an online bank is a little device that looks a bit like a calculator. It has a secret key (known only to the device and to the bank) inside it. When you want to transfer money to someone, the bank site gives you a challenge value and you enter the challenge value, the account number and the amount into the calculator which gives you a response value back that is based on all 3 items. Then you key that into the website. The bank then verifies that the hash is correct for the provided account number and amount (preventing even man-in-the-browser attacks that fiddle with the values and steal your money)

Assuming the UI for the calculator is designed properly (so that e.g. you need to press a $ button before entering the amount) it should be impossible for a scammer to convince all but the most clueless of users to key in an account number and amount to transfer money to the scammer.

Another interesting system I have heard of being used is a device that plugs into the computer/device (or works over Bluetooth or other wireless) that looks like the card terminal you see at retailers. You insert your ATM card into it and key in your PIN and the $ amount and stuff. It then does cryptography on that and sends it to the bank just like the terminals at the retailers.

Assuming the device is built properly, it should be resistant to basically any form of remote attack (although you could probably compromise the thing if you had physical access to it just like any other chip & pin solution)

In general, out-of-band 2FA (using a device an attacker can't touch) that involves the actual amount and account number seems like the best way to solve the problems involved with phishing scams for financial systems (banks etc)

Nick ParlanteAugust 27, 2015 4:26 PM

I'm reminded of the new FIDO u2f login dongle, which in particular works with gmail

Due to the way the keys are arranged between the device and the login-site, a 3rd party can intercept the "token", but it's useless to them. Getting a code by text is susceptible as seen in this story, so U2F really is a jump up.

There's a spec for U2F over Bluetooth/NFC, so a phone can be the U2F device, which seems more likely way for it to catch on than the little USB dongle.

Not affiliated with them, just excited to see a technical fix for this stuff.

Clive RobinsonAugust 27, 2015 5:24 PM

@ Jonathan Wilson,

One great security idea I have seen for an online bank is a little device that looks a bit like a calculator. It has a secret key (known only to the device and to the bank) inside it.

If you search this site, you will find various discussions where I outlined exactly what was needed for such a device, long long before anyone else did. For my sins I also designed the first working system using SMS messages for out of band authentication for banking.

The number of "firsts" on this blog is quite impressive, and one day it might be worth totting them all up.

RSA Token keysAugust 27, 2015 6:27 PM

Didn't RSA have their little token keyring number things stolen or compromised not so long ago?

rgaffAugust 27, 2015 11:01 PM

@Clive Robinson

"The number of "firsts" on this blog is quite impressive, and one day it might be worth totting them all up."

Maybe useful against patent trolls...

Clive RobinsonAugust 28, 2015 9:07 AM

@ rgaff,

Maybe useful against patent trolls...

Not just them but also those who want to monopolize a market, by closing out competition rather than let the market florish and just act as vampires as the trolls do.

Patents and IP in general very very rarely do what they are supposed to do which is reward the innovator. Worse they are frequently used for anticompetative and antimarket control, blocking out or stopping innovation or change. The worst asspects of this can be seen in the telecomms industry, where big players want to stifle inovation to protect existing well out of date technology the big players want to still make outrageous profits on at the expense of everybody including themselves...

Mike AmlingAugust 28, 2015 1:20 PM

@Clive Robinson
"... I outlined exactly what was needed for such a device, long long before anyone else did. ... I also designed the first working system using SMS messages for out of band authentication for banking."

Your brother Heath also has a number of inventions to his credit. :)

Mike AmlingAugust 28, 2015 1:34 PM

@Clive Robinson
"Patents and IP in general very very rarely do what they are supposed to do which is reward the innovator. Worse they are frequently used for anticompetitive and antimarket control,"

Let's not forget why Thomas Jefferson (I think it was; I could be worng.) supported patents: The alternative is trade secrets. The patent office trades a 20-year monopoly for a public description of the invention. A trade secret, in contrast, could last indefinitely or be lost forever.

While I would agree that this line of reasoning is not particularly helpful in forming policy toward patent trolls, it does establish that allowing patents on software is unnecessary, because it's so hard to keep software a trade secret.

AnuraAugust 28, 2015 1:58 PM

@Mike Amling

When it comes to things like software and standards or prescription drugs, that line of reasoning is completely irrelevant as nothing is really secret. 20 year patents are a very modern idea anyway.

DavidSeptember 2, 2015 5:04 AM

The Iranians are known for going after their own ex-pats.

So I wonder what a "real time" login attack might look like. Using a keylogger, get the target to log in after calling them. Then as he/she is about to request a 2FA over SMS grab their phone with a fake tower. Then use your duplicate of their phone (you know their number, IMEI and IMSI) to receive the SMS (if having such a thing is even necessary). Log in while the target is wondering what happened or after he/she gives up. This should surely work, especially if the target logs off.

Forget the SMS authentication. It is too vulnerable. For defense go with a thoroughly wiped PC that runs Puppy Slacko (only in memory). Use Firefox with No Script and change the User-Agent in the browser with Modify Headers. Change it to "Windows NT 5.0". Change your browser to "Opera".

Use Countermail with a truly random longish password and a Keyfile (512 bit) on a USB. With the USB log on using the protected environment which loads the login page locally.

I think that is enough. Check your Countermail once in a while to see when you last logged in. Encrypt any files you may save on Countermail with GNUPG RSA 4096. Only use that computer for Countermail. When not using it turn it off.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.