Google Investigates Ad Injected Into 2FA SMS MessagesText Ad Contained Link Directing to Avira's VPN Product
Google says it's investigating how a text advertisement was injected into SMS messages containing two-step verification security codes.
Chris Lacy, a developer who runs the Australian mobile application development company Action Launcher, tweeted a screenshot Tuesday that showed a two-step verification - sometimes referred to as a two-factor authentication code - with a text advertisement.
I just received a two factor authentication SMS from Google that included an ad. Google's own Messages SMS app flagged it as spam.— Chris Lacy (@chrismlacy) June 29, 2021
What a shameful money grab. pic.twitter.com/NeStIndR6q
Google determined that it did not play a role in inserting the advertisement.
"To close the loop, these are not Google ads, and we do not condone this practice," tweeted Mark Risher, senior director of product management for Google's identity and security platforms. "We are working with the wireless carrier to understand why this happened and ensure it doesn't happen again."
Lacy, who didn't respond to a request for comment, did not name the wireless carrier involved.
But another person who asked to remain anonymous tells Information Security Media Group that he received an identical message on June 25 while logging into a Google account. He provided a screenshot and says he is on a postpaid contract with Australian wireless carrier Optus, which is a subsidiary of Singapore's Singtel. This individual says that the link redirected to antivirus vendor Avira, which sells a VPN service.
An Optus spokesperson says the company is "not injecting the messages and was unaware of the situation but that it is now investigating further."
An Avira spokesperson says the ad was placed by a third-party advertising partner without Avira's knowledge. Avira and the advertising partner have now "ceased all activity with the company who placed the ad, as it was in clear violation of contractual terms and conditions." Avira decline to name the company or the advertising partner.
"Avira supports all efforts to protect people in the connected world, including utilizing two-factor authentication where possible," the company says. "We thank the individuals who brought the ad to our attention."
Two other major Australian carriers, Vodafone and Telstra, say they do not inject advertisements into text messages.
Lacy wrote that he received the two-step verification code through SMS after logging into an old Google email account. He wrote he hadn't yet switched that account to obtaining the two-step code through an authenticator app.
His tweet immediately prompted Google's concern. Adrienne Porter Felt, an engineering manager for Google's Chrome, asked if the two-step code worked. Lacy replied that it did.
There are good reasons why advertisements appended to a security message are problematic. Lacy notes that Google's own anti-SMS spam feature snagged the message.
Lacy wrote in a subsequent tweet that the ad injection practice is "eroding trust in 2FA and making 2FA messages less likely to be delivered. It's utterly shameful."
Chris Boyd, a malware intelligence analyst with Malwarebytes, writes that the way the advertisements were presented raises questions about customer consent, what ad network is involved and what data is being shared or viewed by other parties.
It also may be difficult for users to determine if the link is malicious.
"Worst case scenario, the ad leads to a rogue page or phishing site," Boyd writes in a blog post. "There can’t be many more ways to damage the reputation of using SMS codes as an added layer of security."
Mixing commercial propositions in with security alerts or even just normal browsing traffic is not well regarded.
Three years ago, a group of researchers discovered that Facebook was using phone numbers provided by users for the purpose of receiving two-step verification codes for advertising purposes. Facebook eventually allowed users to use two-step verification without supplying their phone numbers, Gizmodo reported at the time.
Even more broadly, the idea of carriers or ISPs stepping into traffic or communication streams is usually regarded as nothing less than abhorrent. Before more pervasive use of HTTPS by websites, ISPs sometimes injected their own content into a user's web browsing traffic, InfoWorld reported in 2015.
Switch to Authenticator Apps
Advertisements aside, there's a strong security case for switching any two-step codes coming over SMS to authenticator apps, if possible.
SMS messages are unencrypted, and carriers have full access to the content and could modify the content. Receiving two-step verification codes over SMS is better than not having it turned on, because it can stop account takeovers cold. But receiving the codes over SMS poses risks.
Attackers can take over a victim's phone number in order to receive their two-step codes in schemes knows as SIM swaps or hijacks. In these attacks, a fraudster pretends to be an authorized holder of a number, often by tricking a customer service representative at a mobile operator, and then moves a number to a different SIM card (see: Gone in 15 Minutes: Australia's Phone Number Theft Problem).
The technique has often been used to break into the accounts of those who hold valuable amounts of cryptocurrency (see: AT&T Sued Over $24 Million Cryptocurrency SIM Hijack Attacks).
At a higher level, attackers have managed to gain access to Signaling System #7, a global database that helps carriers deliver calls and messages wherever a phone is located. This kind of infiltration can also lead to access to security codes (see: Bank Account Hackers Used SS7 to Intercept Security Codes).