“This social engineering attack is very convincing, and we’ve already confirmed that people are falling for it,” Symantec research engineer Slawomir Grzonkowski reports in a blog post detailing the threat.
All that’s required to launch the attack is the target’s email address and mobile phone number.
The attackers simply leverage the email provider’s password recovery feature, which allows users who have forgotten their passwords to verify their identities by having verification codes sent to their mobile phones.
By clicking on the “forgot password” link and requesting the verification code, the attacker prompts the email provider to send an SMS message with the code to the victim’s mobile phone.
To get the code, the attacker then sends the victim a separate SMS message saying something like, “Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity.”
The victim replies with the code, and the attacker gains access to the victim’s email account.
As Grzonkowski notes, after resetting the account password, the attacker could send the victim an SMS stating, “Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD.”
“This makes the phishing attack all the more believable,” Grzonkowski writes. “The victim thinks that the correspondence must be legitimate and their account is now secure.”
The majority of cases observed by Symantec affected Gmail, Hotmail and Yahoo Mail users.
Grzonkowski says the majority of attacks seem to be focused on gathering information on the victims, not financial gain.
“This simple yet effective attack method is significantly more economical than traditional spear-phishing, where an attacker would need to register a domain and set up a phishing site,” Grzonkowski notes. “In this case, the only cost to the bad guys is an SMS message. This method is also more difficult to detect, as it would have to be done by the user’s mobile software or by the mobile carrier.”
To avoid becoming a victim, Grzonkowski recommends that users be suspicious of SMS messages asking about verification codes, particularly if they didn’t request one. “Legitimate messages from password recovery services will simply tell you the verification code and will not ask you to respond in any way,” he writes.
This eSecurity Planet article offers 5 tips for fighting email security threats.