Gmail’s Multi-Factor Authentication Compromised by Cybercriminals in Targeted Assaults

Russian hackers have successfully circumvented Google’s multi-factor authentication (MFA) in Gmail to execute targeted attacks. This finding comes from security researchers at the Google Threat Intelligence Group (GTIG).

The attacks were conducted through advanced social engineering tactics, where the perpetrators impersonated officials from the U.S. Department of State. They cultivated trust with their targets and convinced them to create app-specific passwords.

App passwords are unique 16-digit codes generated by Google, allowing specific applications or devices to access Google accounts securely, especially when MFA is enabled. Typically, users sign in to their Google accounts with both their standard password and a secondary verification step, such as a code sent to their mobile device. However, older or less secure applications often cannot accommodate this extra verification, which is why Google offers app passwords as an alternative sign-in method.

The significant vulnerability of app passwords lies in the fact that they bypass the second authentication step, making them more susceptible to theft or phishing attacks.

In one specific case highlighted by CitizenLab, attackers initiated contact by masquerading as State Department representatives, inviting their target to a private online consultation. Though the invitation appeared to be sent from a legitimate Gmail account, it also included four ‘@state.gov’ addresses, creating a false sense of security and leading the target to believe that multiple State Department personnel were involved in the email conversation.

It is likely that these email addresses were fabricated, exploiting the State Department’s email server, which does not reject messages sent to non-existent addresses.

As the conversation progressed and the target expressed interest, they received a seemingly official document instructing them on how to register for an “MS DoS Guest Tenant” account. The document detailed a process that included creating an app password meant to “enable secure communications between internal employees and external partners.” Unbeknownst to the target, this action granted the attackers full access to their Google account.

The victims of this prolonged campaign, which persisted for several months, comprised notable academics and critics of the Russian government. The meticulous nature and expertise exhibited in these attacks lead researchers to believe that they were conducted by a state-sponsored entity.

To mitigate risks associated with app passwords, it is crucial to adopt the following best practices:

• Limit the use of app passwords to situations where they are absolutely necessary. Transition to applications and devices that support more secure authentication methods when possible.

• While the importance of enabling MFA remains critical, it is essential to recognize that not all implementations of MFA offer equal security. Utilizing authenticator applications (e.g., Google Authenticator) or hardware security keys (FIDO2/WebAuthn) provides a more robust defense against attacks than SMS codes or app passwords.

• Stay informed and educate others about recognizing phishing attempts, as attackers often exploit user trust to bypass MFA protections by eliciting credentials or app passwords through fraudulent means.

• Monitor for unusual login attempts or suspicious behaviors, such as access from unfamiliar locations or devices, and restrict such logins when feasible.

• Regularly update both operating systems and applications to address vulnerabilities that could be exploited by attackers. Enabling automatic updates is advisable to ensure timely installation of security patches.

• Implement security software capable of blocking malicious domains and detecting scams to enhance overall security posture.