6

According to my knowledge, phishing basically only steals the email id and password, right?

Anders
  • 64,406
  • 24
  • 178
  • 215
Aeden Thomas
  • 89
  • 4

2 Answers2

13

"Phishing" is a broad term for online social engineering attacks where the attacker impersonates somebody the victim trusts. Phishing attacks can have many goals; basically anything that the the user could be persuaded to do on behalf of the impersonated entity. 2FA protects against certain attacks, and some forms of 2FA provide better protection than others, but it's not a perfect solution.

  • Attacker wants credentials: get the user to enter their credentials in a web form that appears to be a trusted site. This alone won't give the attacker access to the account if the account has 2FA, but we never specified "access to the account", merely "credentials".
  • Attacker wants access to the account: spoof the trusted login page, and then simultaneously try to log in with the captured credentials (and forward back any user-facing prompts) so the user sees the expected 2FA behavior and approves the login / enters their access code. (This doesn't work for FIDO/U2F, but the attacker can try having their spoofed login page complain that the security key isn't working and the victim should use an alternate authentication method.)
  • Attacker wants access to the account contents (emails, etc.): Convince the victim to authorize an app (maybe call it "Gmail Privacy Protection" or similar) that the attacker controls, and that gets access to the user's mailbox (this exact kind of attack went around less than 3 years ago with an app spoofing Google Docs integration and then forwarding itself as a worm).
  • Attacker wants to control the victim's browser: get the victim to install a browser extension from a "trusted" source.
  • Attacker wants to take over / compromise (perhaps with ransomware) the victim's whole computer: convince the victim to run a program written/distributed by a "trusted" source.
  • Attacker wants the victim to send them $2500 in gift cards (this is a more common attack than you might think): convince the victim you're their boss, tell them to buy the gift cards with their corporate account and that it's covered, and to send them to somebody that is a plausible recipient (a corporate partner, or an internal team running a prize event, or whatever) but with the wrong address.
  • Attacker wants... you get the idea.

Phishing your credentials is like XSSing your session token. It's obvious and scary and a perfectly legitimate target, but it's far from the only thing the attacker can do, and mitigations that specifically protect against that goal usually do little or nothing to prevent other goals. FIDO/U2F security keys provide excellent protection against web-based phishing pages, but you need to use them consistently. They provide no protection against you authorizing access to an app, running code (either in a sandbox like your browser / phone, or on your computer directly), or other attacks that don't directly involve stealing the victim's credentials or login session.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
3

Assumption: by phishing you mean putting up a fake web page that looks like GMail and trying to trick users into typing their username and password into it.

GMail has three types of 2FA

1) Phone prompt: To defeat this all the attacker has to do is immediately try to log in with your stolen username and password. Since you think you're logging in (you just tried to log in to their phishing site after all), you'll likely confirm it. A more savvy user might be saved here by noticing the browser/location etc issues, but many would just click. (and an even more savvy attacker knows your browser/OS and location since you just used their phishing site and could go to the trouble to spoof that too.)

2) SMS Code: Again attacker just has to build a site that also asks for your mobile number then immediately use the information they phished from you, you will get an SMS, and you will type it into the 2FA screen they put up. If their initial phishing page tricked you into entering your info, it's unlikely you will suddenly notice it's fake at step 2.

3) FIDO U2F Dongle / Key Token: Actually provides some real security if you are tricked into typing your username and password into a phishing site. An attacker will not be able to use a token they tricked you into generating for mail.googiie.hackerland to then access a real google domain.

Affe
  • 341
  • 1
  • 5
  • Could you explain how the dongle provides more security? – Qwertie Jan 31 '20 at 00:39
  • 1
    @Qwertie FIDO/U2F security keys (as opposed to dongles that just emit a pseudorandom string into wherever the cursor is, regardless of what you're doing) actually communicate with the browser / app, and use the site you're communicating with as an input into the output they generate. If you're on "googIe.com" (that's a capital "i" instead of a lowercase "L") then the generated token won't be correct for Google. – CBHacking Jan 31 '20 at 01:06