Here’s How Iran Resets Your Gmail Password

Iranian hackers have now found a way to get around Google’s two-step verification system and infiltrate GMail’s most elaborate consumer security system, according to a new report.

The Citizen Lab’s John Scott-Railton and Katie Kleemola outlined a few new ways that Iranian hackers can compromise the accounts of political dissidents, or even everyday citizens.

“Their targets are political, and include Iranian activists, and even a director at the Electronic Frontier Foundation,” said Scott-Railton in an email, referring to the digital rights organization. “In some cases they even pretend to be Reuters journalists calling to set up interviews.”

The report says attacks on political targets are new. But the methodology of the hack has been going on for years, especially as reliance on so-called “two-factor authentication”—using something in addition to a password to get into your account—has gone up.

“It may be that, as a growing number of potential targets have begun using two-factor authentication on their e-mail accounts out of a concern for their security, politically-motivated attackers are borrowing from a playbook that financial criminals have written over the past decade,” the report notes.

One of these attacks likely targeted Iranian writer Roya Hakakian, about whom The Daily Beast’s Shane Harris wrote in May. Hakakian, who considers herself a “secular intellectual” poet who isn’t particularly political, was the target of a months-long phishing campaign that used methods similar to the ones described in the report.

Iran’s ability to infiltrate or even crash rival government systems, including alleged threats to the electrical grid, has “alarmed” U.S. officials over the past few years. But the most recent phishing attacks are a sign Iranian hackers using these much more targeted techniques, too—on everyone from secular voices in Iran to nonprofit workers in the U.S.

One tip-off you’re being targeted for an attack? If you receive a fake “unexpected sign-in attempt” notice that says an attempt was made to log in to your account from “The Iran.” The alert could come from a text or, in Hakakian’s case, an email.

This email is sent by the hacker, not Google. But Google will eventually send an authentic verification code to your phone—which is intercepted by hackers in the process, giving them access to your account.

“For this attack to work, the attackers must actively monitor the phishing page. Once the target enters their password into the phishing site the attackers likely use the credential to attempt to log in to GMail. The attacker’s login attempt then triggers the sending of a code from real Google to the target,” the report states. “They then wait for the target to enter the 2FA code from Google.”

Another version of the attack includes a phone call and an interview request from an English or Farsi-speaker who claims to be from the news agency Reuters. When hackers sent their phishing email to Electronic Frontier Foundation director Jillian York after their phone call—which included specific details about her previous work—the news agency was misspelled “Reuturers.”

Eventually, the email would coax victims into opening a document pertaining to the phone call from “Reuters Tech Dep.” Clicking the link would start the two-step verification hack.

When York didn’t bite on initial emails, she was eventually barraged with more, sometimes from another account.

“This is from my personal address! Just open it!” one email said.

As the attack happened, hackers attempted to break into York’s Facebook using its reset feature.

The EFF director was then called 30 times over the next day, and the attackers never got into her account.

There is, however, an easy way to spot a fake: Google uses https encryption. The hackers’ password reset websites do not. Therefore, your browser window will start with “http://” instead of “https://” when an attack occurs.

And there’s better news, too: Because of how elaborate and labor-intensive the attacks are—and how small the window is to execute them—they likely don’t pose a long-term, widespread threat.

“The effort involved suggests that, without serious automation, this attack technique will not scale well,” says the report.