Story image

Cybercrims bypassing two-factor authentication with simple txt

18 Jun 15

Strong passwords and two-factor authentication are no match for simple social engineering it appears, with security vendor Symantec warning of a new password recovery scam tricking users in to handing over email account access.

The newly discovered scam allows attackers to bypass two-factor authentication by using the password recovery feature offered by many email providers, which enables users who have forgotten their password to gain access to the account by, among other options, having a verification code sent to their mobile phone.

The attacker then follows up with a text – disguised as the email provider having detected ‘unusual activity’ on the account – requesting the code.

Believing the message is legitimate, the victim unwittingly gives the scammer access to their email account.

Once the cybercriminal has gained access to the email account, they can add an alternate email to the account set to ensure they receive copies of all emails.

Symantec says it has seen an increase in this type of spear-phishing attack targeting mobile users with the majority of cases it observed affecting Gmail, Hotmail and Yahoo users.

Symantec principal research engineer Slawomir Grzonkowski says the social engineering attack is ‘very convincing’.

“We’ve already confirmed that people are falling for it,” Gronkowski says.

“To pull off the attack, the bad guys need to know the target’s email address and mobile number, however these can be obtained without much effort.”

Gronkowski says attackers have also been observed interacting with their victims when the verification code doesn’t work, by sending additional text messages.

“The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers,” Gronkowski says.

“They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals.”

He says the simple yet effective attack method is significantly more economical than traditional spear-phishing, where an attacker would need to register a domain and set up a phishing site.

“In this case, the only cost to the bad guys is an SMS message.

“This method is also more difficult to detect, as it would have to be done by the user’s mobile software or by the mobile carrier.”

Grzonkowski is urging users to be suspicious of SMS messages asking about verification codes, especially if they didn’t request one.

“If uncertain about an unexpected request, users can check with their email provider to confirm if the message is legitimate,” Grzonkowski says.

“Legitimate messages from password recovery services will simply tell you the vertification code and will not ask you to respond in any way.”

IDC: Standalone VR headset shipments grow 428.6% in 3Q18
The VR headset market returned to growth in 3Q18 after four consecutive quarters of decline and now makes up 97% of the combined market.
Meet Rentbot, the chatbot that can help with tenancy law
If you find yourself in a tricky situation  - or if you just want to understand your rights as a landlord or tenant, you can now turn to a chatbot for help.
PlayerUnknown’s Battlegrounds (PUBG) finally releases on PS4
PUBG on PS4 feels like it’s still in Early Access as the graphics look horribly outdated and the game runs poorly too. 
How AI can fundamentally change the business landscape
“This is an extremely interesting if not pivotal time to discuss how AI is being deployed and leveraged, both in business and at home.”
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Game review: Just Cause 4 on PC
Rico Rodriguez returns to wreak over-the-top havoc for a fourth time. This time the island nation of Solís is our hero’s sandbox, ripe for destruction.
Hands-on review: Logitech G502 HERO gaming mouse
My favourite feature of the G502s is the ‘Sniper’ button, which is found on the left hand side of the device. When held, this lowers the DPI and allows you to achieve maximum accuracy whilst honing in on a kill on your favourite FPS title.