Journalists work on their phones and laptops during a press conference in Brussels in December. Hackers are using sophisticated phishing methods to try to access the accounts of reporters and human rights defenders. (AFP/Ludovic Marin)
Journalists work on their phones and laptops during a press conference in Brussels in December. Hackers are using sophisticated phishing methods to try to access the accounts of reporters and human rights defenders. (AFP/Ludovic Marin)

CPJ Safety Advisory: Sophisticated phishing attacks mimic 2FA

The cybersecurity research group CERTFA has reported an increase in sophisticated phishing attacks against journalists and human rights defenders. These attacks, which are global, have also targeted individuals who use more robust email providers or two-step verification (2FA) for their email and social media accounts.

The research by CERTFA–the Computer Emergency Response Team in Farsi– found that once access had been gained to a journalist’s account, an adversary was able to monitor communications from that account in real time. The report showed that hackers were conducting research on journalists beforehand, which allowed them to tailor attacks and made them more difficult to spot.

A report by Amnesty International also found that hackers are buying domain names with a similar web address to the email service providers Tutanota and Protonmail, and creating clone login pages. A journalist who logs into one of these fake pages will have compromised their login details and given hackers access to their accounts.

The report detailed how journalists using Yahoo and Gmail were sent emails appearing to be from those email service providers, stating that there had been an unauthorized attempt to access the account. The email asked journalists to enter their email and password details, which hackers were able to check in real time and send out a fake two-step verification request either as a SMS, via the authenticator app, or via push notifications. At least two different groups of hackers were able to gain access to accounts and constantly monitor communications.

Journalists should take practical steps to protect their accounts and be extra vigilant for phishing attempts, especially if they are covering stories that could be of interest especially to state-sponsored actors. Journalists can minimize this risk by following CPJ’s guidance below.

Know the domain name of the service you use

Journalists should ensure they know the domain name of the service they are using and be vigilant about checking it when they go to log into accounts. Check for variations in spelling or a change in the domain, such as from .org to .net.

Use security keys instead of using SMS, the authenticator app, or push notifications

Using 2FA is an important way to help secure your accounts from being hacked. Journalists who are concerned about being targeted by sophisticated phishing campaigns should use a security key instead of a SMS alert or authenticator app. A security key, such as a YubiKey, is currently the most secure way to protect your accounts.

Check the security settings of your accounts for an option to add ‘security keys’ or ‘hardware tokens’ or ‘Universal 2nd Factor (U2F)’. Read our guide to using security keys.

Check received communications carefully

Journalists who receive communications asking them to enter password details for their accounts should not click on anything contained in the message. Instead, they should log into their account via the homepage of the service provider.

If you believe your email account has been compromised, and have access to tech support through a media organization, contact them immediately for assistance. If you are a freelance journalist or a journalist that does not have access to tech support, contact the Access Now Helpline.

CPJ is working alongside our partners to understand the full scope of phishing attacks on journalists. If you have received a suspicious message and believe you may have been targeted in a phishing attempt, please forward the message to phishtank@cpj.org. This information will be handled confidentially.

For more information on digital security, CPJ’s Safety Note on Digital Safety and see the digital safety information included in our Resource Center.