Security researchers from Symantec have warned Gmail, Hotmail, Yahoo Mail users against the ‘Password Recovery Scam’ wherein hackers are using the text messages and social engineering to trick the victims into handing over the details of their email account access to these attackers. Email ID and smartphone numbers are nowadays a part of huge databases which are being sold and bought by various marketing agencies. The data is also being used by crooks for vicious purposes and Symantec researchers found that hackers are using this combination in a particular type of “spear phishing attack”. The major aim of the attackers is to hack victim’s email account merely by knowing the correct email address and the right smartphone number. Symantec researcher have mentioned in their blog that this social engineering attack is pretty convincing and they have already confirmed that many people are falling for these types of attacks. Password Recovery Scam: Most of the email providers such as Gmail, Hotmail, Yahoo Mail offer their users the ability to use their smartphone to receive their account recovery codes; in cases when users have forgotten their passwords or say have some trouble logging into their accounts. This password recovery process is definitely useful for those users who have difficulty in remembering passwords; however another side of the coin is that this same convenient process can also be used by attackers to compromise victim’s email accounts. Among the many options provided by the password recovery process, one is “Getting a verification code sent via text message to the user’s registered smartphone number”. Symantec researchers, used the example of Gmail account to show how a password recovery scam can allow an attacker to hack the victim’s email account with minimum details. Whenever users enable the Two-step Verification process, user would receive an ‘official verification code’ sent by the email provider on their registered smartphone which user would need to text on to their browser screen once they enter their password. Hackers are using similar cloaks in this social engineering attack which are convincing enough to trick the victims to hand over the details of their email accounts to these attackers. Let us check how attackers carry out their social engineering password recovery scam:
Hackers would first get the Email address and the registered smartphone number of the user. On the Sign-in page they would enter the Email ID and then click into the password recovery process. On this page, attackers opt for the verification code to be sent to user via text message. Immediately, user would receive an unexpected text message containing ‘official verification code’ sent from their email provider. Now, attacker sends out another text to the victim from their own phone that reads: This is Google. There has been unauthorized activity on your account. Please reply with your verification code. Attacker pretends to be an email provider, however victim is able to view this text message as if it is sent from some unknown number. Victim sends the ‘official verification code’ received from email provider as a reply to this second text message. Once the attacker receives this “official verification code” from victim, they enter this verification code and easily ‘Reset the password’ of victim’s email account and thus hackers get an easy access to victim’s email account and to their sensitive credentials. In case the official verification code does not work: Attackers send another text message to the victim which states: We still detect an unauthorized sign-in to your account. Google just re-sent a verification code via text message: Please respond with it to help secure your Google account. Symantec researchers further also mention that once attackers gain access to victim’s account they can add another email address which will receive copies of all the email transactions happening on victim’s account. It could also be a case that these hackers now send out this temporary password to the victim via text message which would read: Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD]. Victim is now convinced that this was a legitimate verification procedure from their email provider and are assured that their account is secure without even having the slight knowledge that their account details are being hacked.
Symantec researchers feel that the cyber criminals target the victims to gather information and the way they operate is more or less similar to the methods used by APT groups. This kind of social engineering phishing attack does not need any special skills nor is it very costly. The only cost which attacker bears is that of sending the text messages to the victim. And furthermore, this attack can be carried out with just the email address and phone number of the victim which makes these attacks quite dangerous. Mitigation: Symantec researchers have also provided some probable remedy which could help users from falling prey to the attackers.
If users had not logged in and they receive some Verification code, this needs to raise an alarm and users need to immediately check with their email provider to check the legitimacy of this message. Beware of the unexpected text messages which asks for your Verification Codes, especially when it was not requested by the user. Users need to remember that official and legitimate messages from password recovery services only provides the verification code and will never ask to respond to the message.
Users can check the Password Recovery Scam video presented by Symantec security researchers: