Password recovery scam: How hackers are stealing Gmail, Yahoo Mail accounts
'This social engineering attack is very convincing and we’ve already confirmed that people are falling for it,' the security firm said.
Symantec has observed an increase in a "particular" type of spear-phishing attack targeting mobile users. The purpose of the attack is to gain access to the victim’s email account.
"This social engineering attack is very convincing and we’ve already confirmed that people are falling for it," the security firm said.
To pull off the attack, the bad guys need to know the target’s email address and mobile number; however, these can be obtained without much effort. The attackers make use of the password recovery feature offered by many email providers, which helps users who have forgotten their passwords gain access to their accounts by, among other options, having a verification code sent to their mobile phone.
The majority of cases observed affect Gmail, Hotmail, and Yahoo Mail users.
Using Gmail as an example, the following steps describe how the attack works.
-- Our victim, Alice, registers her mobile phone number with Gmail so that if she forgets her password Google will text her a verification code and she can access her account.
-- Our bad guy—let’s call him Malroy—wants to get into Alice’s account but doesn’t know her password. He does know Alice’s email address and phone number though. Malroy visits the Gmail login page and enters Alice’s email address and then clicks on the “Need help?” link. This link is used when people have forgotten their login credentials.
-- Malroy is offered several options, including “Enter the last password you remember” and “Confirm password reset on my [MAKE AND MODEL] phone,” but skips these until he is given the option “Get a verification code on my phone: [MOBILE PHONE NUMBER].”
-- Malroy accepts this option and an SMS message with a six-digit verification code is sent to Alice.
-- Alice receives a message saying “Your Google Verification code is [SIX-DIGIT CODE].”
-- Malroy then sends Alice an SMS message saying something like “Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity."
-- Alice, believing that the message is legitimate, replies with the verification code.
-- Malroy then uses the code to get a temporary password and gains access to Alice’s email account.
And, then attacker enters verification code and the ability to reset password is granted.
Symantec said it has also observed attackers interacting with their victims when the verification code doesn’t work. The victim will receive a message along the lines of: “We still detect an unauthorized sign-in to your account. Google just re-sent a verification code via text message: Please respond with it to help secure your Google account”
When the attacker gains access to the account they could for example, among other things, add an alternate email to the account and set it up so that copies of all messages would be forwarded to that address. The temporary password could then be given to the victim and they would have no idea their emails were being sent to the attacker. An SMS would be sent to the victim, saying something like: “Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD]”
This makes the phishing attack all the more believable. The victim thinks that the correspondence must be legitimate and their account is now secure.
The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers. They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals. The way they operate is similar to the methods used by APT groups.
This simple yet effective attack method is significantly more economical than traditional spear-phishing, where an attacker would need to register a domain and set up a phishing site. In this case, the only cost to the bad guys is an SMS message. This method is also more difficult to detect, as it would have to be done by the user’s mobile software or by the mobile carrier.
Symantec warns that users should be suspicious of SMS messages asking about verification codes, especially if they did not request one. If uncertain about an unexpected request, users can check with their email provider to confirm if the message is legitimate. Legitimate messages from password recovery services will simply tell you the verification code and will not ask you to respond in any way.