Strong passwords and two-factor authentication are no match for simple social engineering it appears, with security vendor Symantec warning of a new password recovery scam tricking users in to handing over email account access.
The newly discovered scam allows attackers to bypass two-factor authentication by using the password recovery feature offered by many email providers, which enables users who have forgotten their password to gain access to the account by, among other options, having a verification code sent to their mobile phone.
The attacker then follows up with a text – disguised as the email provider having detected ‘unusual activity’ on the account – requesting the code.
Believing the message is legitimate, the victim unwittingly gives the scammer access to their email account.
Once the cybercriminal has gained access to the email account, they can add an alternate email to the account set to ensure they receive copies of all emails.
Symantec says it has seen an increase in this type of spear-phishing attack targeting mobile users with the majority of cases it observed affecting Gmail, Hotmail and Yahoo users.
Symantec principal research engineer Slawomir Grzonkowski says the social engineering attack is ‘very convincing’.
“We’ve already confirmed that people are falling for it,” Gronkowski says.
“To pull off the attack, the bad guys need to know the target’s email address and mobile number, however these can be obtained without much effort.”
Gronkowski says attackers have also been observed interacting with their victims when the verification code doesn’t work, by sending additional text messages.
“The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers,” Gronkowski says.
“They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals.”
He says the simple yet effective attack method is significantly more economical than traditional spear-phishing, where an attacker would need to register a domain and set up a phishing site.
“In this case, the only cost to the bad guys is an SMS message.
“This method is also more difficult to detect, as it would have to be done by the user’s mobile software or by the mobile carrier.”
Grzonkowski is urging users to be suspicious of SMS messages asking about verification codes, especially if they didn’t request one.
“If uncertain about an unexpected request, users can check with their email provider to confirm if the message is legitimate,” Grzonkowski says.
“Legitimate messages from password recovery services will simply tell you the vertification code and will not ask you to respond in any way.”