Cybersecurity experts are warning all Gmail users about a new hack that defeats two-factor authentication (2FA) to take over accounts.
Two-factor authentication is supposed to add an extra layer of protection for your private online accounts, typically by sending an access code to the legitimate user's phone or email.
The new cybercrime tool is called Astaroth, which steals these forms of identification in real-time, fooling the victim into thinking they logged into their accounts normally by sending them to a phony page which looks like their browser.
Hackers using Astaroth can gain access to usernames, passwords, credit card numbers, bank information, and other important data once the victim logs into their accounts their these phony pages.
Once attackers capture your information, they could use it to enter your accounts on their own or sell the information on the dark web.
The new phishing tool acts like a middle man for hackers, capturing login credentials (usernames and passwords), tokens (2FA codes), and session cookies (web browser file) in real time. All this effectively bypasses any 2FA on your accounts.
Astaroth puts up a phony Gmail login screen for the victim to access, allowing hackers to copy their private information down before passing it on to their real email login screen.
Since there are no security warnings on the phony webpage, victims never know what's going on until it's too late.
The only sure way to dodge the phishing attack is to avoid clicking on the initial suspicious link scammers will send to gain access to your accounts.
According to cyber security experts, anyone using services like Gmail, Yahoo, AOL, and Microsoft Outlook could be vulnerable to these attacks - meaning over two billion email accounts could fall victim to this scheme.
Phishing involves cyber-criminals attempting to steal personal information such as online passwords, bank details, or money from an unsuspecting victim.
Often, the criminal will use an email, phone call, or even a fake website pretending to be from a reputable company.
The criminals can use personal details to complete profiles on a victim which can be sold on the dark web.
Until now, phishing tools relied on fake login pages that could only capture the victim's main username and passwords.
This meant 2FA could still keep email users safe by requesting they verify that it was really them logging into their accounts.
Astaroth is taking phishing to the next level, intercepting these verification codes, texts, and emails in real time without the user's knowledge.
According to researchers at technology company SlashNext, the seller of this phishing tool is offering it to hackers for just $2,000 on the dark web.
Even worse, the anonymous nature of these purchases make it incredibly difficult for police to track the sales or find the hackers buying Astaroth.
How does Astaroth work?
Victims set off the phishing attack by clicking on a suspicious URL - sending them to a malicious server the hacker is using as a 'reverse proxy.'
A reverse proxy is a server which sits 'in front' of another server, app, or cloud service and forwards all the victim's web browser requests to those servers.
For hackers, this allows them to monitor and capture everything the victim wants to send to their normal browser.
The rogue server mimics the target domain's appearance and functions while continuing to send traffic between the victim and the legitimate login page.
Simply put, if you're on Gmail, Astaroth puts up a phony Gmail login screen for the victim to use, allowing the hacker to copy their private information down before passing it on to the real Gmail.
The victim also doesn't see any security warnings, so they never know that something is going wrong.
Astaroth can go virtually undetected because it sends the real user's login and password, their two-step verification codes, and the IP address through to the actual email server.
Any 2FA codes sent by the user are immediately stolen by Astaroth, with the phishing tool sending the hacker an alert on Telegram that a security code is needed to log in.
Finally, the hacking kit captures the user's session cookies, which legitimate servers send out after you successfully log in.
Astaroth passes them to the attacker, who can insert them into their phony browser the victim is entering all of their data into without knowing.
Along with the phishing software, the dark web seller of Astaroth is reportedly promising to provide six months of updates which will keep hackers ahead of the latest cybersecurity improvements.
As for who's at risk, cyber experts warn that hackers using Astaroth could target billions of email users and those who use third-party logins to gain access to their accounts.
| Account Type | Users |
|---|---|
| Gmail | Over 1.8 billion |
| Microsoft Outlook | Over 400 million |
| Yahoo mail | Over 225 million |
| AOL mail | Over 1 million |
| Third-party logins | Any account that uses your Google or Facebook accounts to log in |
Of course, all of this scheming starts with the victim clicking on a phony link, which is why tech experts say you have to keep your guard up online.
According to Action Fraud, 'Phishing emails encourage you to visit the bogus websites.'
'They usually come with an important-sounding excuse for you to act on the email, such as telling you your bank details have been compromised, or claim they're from a business or agency and you're entitled to a refund, rebate, reward, or discount.'
From there, the phony email will typically tell you to follow a link to enter your crucial information - allowing phishing scammers to see your vital data.
According to IT support service company AAG IT, 3.4 billion spam emails are sent every day.
Google alone blocks nearly 100 million phishing emails each day.
