Need to bypass Google's two-factor authentication? Send a text message

Do you cover these types of threats in your awareness training? If not, you should.

Criminals targeting Gmail's 2Factor Authentication
Matthew G (Creative Commons BY or BY-SA)

Over the weekend a screenshot circulating on Twitter caught our attention. Normally, this would be a one-off story for the weekly Rehashed round up, but this scam teaches a lesson that's worth some focus.

The lesson is that Social Engineering – when used effectively – will eventually defeat every security control you can throw at it.

The picture below was posted to Twitter by Alex MacCaw, co-founder of

It shows a text message from someone attempting to gain access to a Gmail account. It's a total scam, but consider for a moment what the message implies and what it's asking for.

SMS scam targeting Gmail

The message isn't asking for passwords. It isn't asking for personal information, or for control over the Gmail account in question. Quite the opposite, the text message is offering warm and fuzzy feelings of security, and the ability to further the warm fuzzy via a temporary lockout.

This is a clever attack, and it's sure to have worked in some cases, simply because of the context. The message is telling the victim that someone is attempting to login to their Gmail account, and offers a basic ID on the "attacker".

This opens up two scenarios:

  • Those who are technically inclined will realize that IP addresses can be spoofed, and don't really do much when it comes to attribution. Moreover, if they've enabled Google's two-factor authentication, and use such things regularly, they know messages like this aren't real, as this isn't how the process works.

This segment of the potential victim pool will likely ignore the message and change their Gmail passwords directly to stay on the safe side.

  • On the other hand, adding the attacker's ID actually helps the scam along in some ways. For those not familiar with how IP addressing works, this detail offers a layer of legitimacy, especially if the location shown isn't in their area. Moreover, awareness training often encourages the use of two-factor authentication, but many people who use it don't fully understand its features or functions. If that's the case, they might not realize there's a problem here until it's too late.

As such, this segment of the victim pool is more likely to comply with instructions, confident in the belief they're doing the right thing.

What's the value of a six-digit code?

So now the victim has two text messages. One warning them of an attack – the lure – and a legitimate text message from Google containing a code.What most victim's won't understand is that the original message, warning and all, is the actual attack.

The person who sent the first text message is going to trigger Google's two-factor authentication process. As long as the attacker has the correct password and the victim does as instructed – they'll gain access to the targeted Gmail account.

People reuse passwords across multiple websites. Recently, several hundred million accounts were leaked to the Web, giving criminals a massive pool of potential victims. How many people among the millions of accounts found in those leaks, use the same password (even several years later) on Gmail?

In this case, the attacker likely had the username and password, but they needed a code in order to fully compromise the account. And for some people, compromising their Google account opens up access to their entire existence online.

Another reason this attack is so clever centers on the ask itself

In InfoSec, we've gotten good at training users to avoid sharing passwords with strangers, and urging them to be cautious when such things are requested via email or phone. We've trained them not to click links. Sometimes we've trained them to use two-factor authentication when possible.

People still share passwords and click links though, quite willingly too, but they know they're not supposed to.

Yet, this attack isn't an email, it's a text message. It isn't asking for a password. It isn't asking for the victim to follow a link. It's asking them to respond with the code they're about to receive.

Passwords have value, as anyone who has ever taken basic security awareness training will tell you. But do you think non-technical users (perhaps even those with some basic tech understanding) will place a high value on six random characters?

They should, certainly, but will they?

No, they won't, which is why this type of attack happens. It's exploiting the conditioning that exists thanks to awareness training that's focused on email and physical threats. Unless 2FA codes are singled out in awareness training, users won't protect them. So if you haven't added SMS scams to your awareness programs, you might want to consider it.

Attacks like this are worse when spoofing happens

In the US, sender ID spoofing is difficult. The process of obtaining a registered short code for text messaging is costly and requires some effort. So scams like this will come from an unknown number, with no contact name associated with it. This makes them easier to spot.

However, there are legitimate services in the US that offer short codes that can be leased. Such marketing vendors have strict security on campaigns and requests, but that doesn't make them bulletproof. If an attacker has access to one of those, they can make the message look like it came from anywhere, including trusted sources.

Outside of the US, all bets are off, as sender ID spoofing will require little effort, enabling the attacker to make it look as if Google is sending the message, or someone form your IT department.

Bottom line: Social Engineering is a powerful tool that can be adjusted on the fly, and it's something that can't be prevented by blinking boxes. Awareness training helps, but awareness programs can't be static. As criminals develop new tricks, the training has to change to address them.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!