​Cybercriminals target secure email services with phishing attacks

• Hackers target ‘secure’ email services such as Google, Yahoo, Protonmail, and Tutanota.
• The hackers hail from the United Arab Emirates, Egypt, and Palestine and mostly target the Middle East and Africa.

A group of government hackers from a nation-state in the Gulf region target secure email services such as Google, Yahoo, Protonmail, and Tutanota. The attackers mainly target the Middle East and Africa.

The UK-based non-government organization for human right, Amnesty International warned that many of the targets, likely numbering upwards of 1,000, were human rights defenders and journalists operating in the affected regions.

Phishing attacks on Protonmail and Tutanota accounts

In the attempts to break into Protonmail and Tutanota accounts, phishing emails were sent directly to targets asking them to reset their passwords due to suspicious activity. The victims were then redirected to a fake website controlled by the hacker often using domain names similar to the real legitimate websites.

For instance, an extra ‘e’ was added to the original website ‘protonemail[.]ch’, similarly, instead of the legitimate ‘tutanota[.]com’, the fake website appeared to be ‘tutanota[.]org’ making it difficult for the users to suspect.

Once the victims enter their username and password, the login credentials were directly sent to the hackers.

Phishing attacks on Google and Yahoo accounts

A similar attack was carried out on Google and Yahoo accounts, but the attack targeted to grab the one-time two-factor authentication codes. Once the targets enter their login credentials, they were then redirected to a page asking them for an additional code because the hacker had already entered the login on the legitimate Google site, the message will indeed make it through to the real account owner, who would then enter the code on the fake page, giving account control over to the hackers. The victim would then be asked to enter a new password, after which the victim will be directed to the legitimate Google site.

“The purpose of taking this additional step is most likely just to fulfill the promise of the social engineering bait and therefore to not raise any suspicion on the part of the victim,” Amnesty wrote to Forbes

It is to be noted that the entire process is automated eliminating the need for the hacker to manually enter any information.

“In a completely automated fashion, the attackers managed to use our password to login into our account, obtain from us the two-factor authentication code sent to our phone and eventually prompt us to change the password to our account,” Amnesty wrote.