A new report from the University of Toronto’s Citizen Lab uncovers ongoing attacks against targets in Iran’s diaspora, and at least one Western activist, which attempt to bypass protections provided by two-factor authentication in Gmail.

Researchers say that most of the attacks begin with a phone call from a UK phone number, with attackers speaking in either English or Farsi.

Two-factor authentication is an authentication method used by many services, such as Gmail and Dropbox, to increase account security against password theft and “phishing,” which is a general term for “e-mails, text messages, and websites fabricated by malicious actors, designed to look like they come from well-known and trusted businesses and government agencies in an attempt to collect personal, financial, and sensitive information.” The most commonly used form of two-factor authentication requires a user to enter their regular password followed by a single-use code which is sent by text message to their previously registered phone.  When enabled, two-factor authentication requires that both the password and code be entered in order to login, rendering only stolen passwords useless.

“While attacks against two-factor authentication are widely documented in the context of online fraud, the rise in use of two-factor authentication by users of free online services may be leading other categories of attackers, such as political attackers, to begin developing their own versions of these attacks,” said Citizen Lab senior research fellow John Scott-Railton, one of the report’s authors.

In the report, entitled London Calling: Two-Factor Authentication Phishing From Iran,” Citizen Lab researchers identified three types of “real time” attack, with the assistance of the Iranian targets and other security researchers. The first attack attempts to phish both the user’s password and the two-factor authentication code by tricking victims into thinking that someone is trying to access their account. The attacker does this by showing fraudulent pages that simulate Gmail’s two-step login process to the victim, which allows the attacker to collect the victim’s input, while simultaneously logging in to the real Gmail page.

The second attack, which the researchers tie to the same actors, begins with a call from a number in the UK, promising to send the target a proposal. The target would receive an email after the phone call that looks similar to a Google Drive shared file notification. “Clicking on the link contained in the email leads to a fake login page for Google Drive and a fake two-factor authentication page, thereby allowing the attacker to harvest both the password and the two-factor authentication code at the same time,” said Katie Kleemola, Senior Security Researcher at Citizen Lab in U of T’s Munk School of Global Affairs.

The third type of attack poses as a request from a member of the media. One such attack targeted Jillian York, Director for International Freedom of Expression at the Electronic Frontier Foundation, whose work includes extensive professional contact with Iranian advocacy groups. As with the other attacks, she received an e-mail masquerading as a Google Drive e-mail share but which was, in fact, a link to a phishing site. She is the only non-Iranian target that the researchers are aware of.

These findings suggest that by using two-factor authentication and staying vigilant, the targeted users were able to stay safe. “Implementing two-factor authentication on all of your accounts is an important security step for everyone,” said Kleemola.

“Although “real time” attacks against two-factor authentication have existed for at least a decade, there are few public reports of such attacks against political targets,” said Scott-Railton. “It may be that, as more people start using two-factor authentication, politically-motivated actors have had to resort to the playbook that financial criminals have written.”

Follow coverage of this Citizen Lab report by the following media outlets:

ABC News
Associated Press
The Daily Beast
The Hill
Huffington Post
International Business Times
SC Magazine
Washington Times