Story image

Cybercrims bypassing two-factor authentication with simple txt

18 Jun 2015

Strong passwords and two-factor authentication are no match for simple social engineering it appears, with security vendor Symantec warning of a new password recovery scam tricking users in to handing over email account access.

The newly discovered scam allows attackers to bypass two-factor authentication by using the password recovery feature offered by many email providers, which enables users who have forgotten their password to gain access to the account by, among other options, having a verification code sent to their mobile phone.

The attacker then follows up with a text – disguised as the email provider having detected ‘unusual activity’ on the account – requesting the code.

Believing the message is legitimate, the victim unwittingly gives the scammer access to their email account.

Once the cybercriminal has gained access to the email account, they can add an alternate email to the account set to ensure they receive copies of all emails.

Symantec says it has seen an increase in this type of spear-phishing attack targeting mobile users with the majority of cases it observed affecting Gmail, Hotmail and Yahoo users.

Symantec principal research engineer Slawomir Grzonkowski says the social engineering attack is ‘very convincing’.

“We’ve already confirmed that people are falling for it,” Gronkowski says.

“To pull off the attack, the bad guys need to know the target’s email address and mobile number, however these can be obtained without much effort.”

Gronkowski says attackers have also been observed interacting with their victims when the verification code doesn’t work, by sending additional text messages.

“The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers,” Gronkowski says.

“They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals.”

He says the simple yet effective attack method is significantly more economical than traditional spear-phishing, where an attacker would need to register a domain and set up a phishing site.

“In this case, the only cost to the bad guys is an SMS message.

“This method is also more difficult to detect, as it would have to be done by the user’s mobile software or by the mobile carrier.”

Grzonkowski is urging users to be suspicious of SMS messages asking about verification codes, especially if they didn’t request one.

“If uncertain about an unexpected request, users can check with their email provider to confirm if the message is legitimate,” Grzonkowski says.

“Legitimate messages from password recovery services will simply tell you the vertification code and will not ask you to respond in any way.”

Apple mania! A brief look at Apple TV+, Apple Arcade, and Apple News+
Whether you’re after news, TV, or gaming, it seems like Apple is pulling out all the stops to get your attention.
Giveaway: Win the Huawei Y6 2019 with FutureFive
We’re back with the first giveaway of 2019, and once again Huawei is dishing out the goodies with a Huawei Y6 2019 smartphone up for grabs!
Meet the future of women in IT
Emily Sopers has just won Kordia’s first ever Women in Technology Scholarship, which was established to address gender imbalance in the information and communications technology (ICT) sector.
Vector penalised $3.5 million for excessive levels of power outages
''Given the impact electricity outages have on consumers and businesses it is crucial that lines companies have systems in place to identify and manage the risks present in their networks."
Game review: Tom Clancy’s The Division 2
Ubisoft has listened to all of the fan feedback and I can proudly say that Tom Clancy’s The Division 2 is a much better experience over the first game.
'Iwi Algorithm' can grow Aotearoa's mana
Ngāti Whātua Ōrākei innovation officer Te Aroha Grace says AI can help to combine the values from different cultures to help grow Aotearoa’s mana and brand – and AI is not just for commercial gain.
Why 'right to repair' legislation could be a new lease on life for broken devices
“These companies are profiting at the expense of our environment and our pocketbooks as we become a throw-away society that discards over 6 million tonnes of electronics every year.”
Hands-on review: Huawei Watch GT
I’ve thoroughly enjoyed my time with the Watch GT. It’s converted me from being anti-smartwatch to someone who’s genuinely considering buying one.