Story image

Cybercrims bypassing two-factor authentication with simple txt

18 Jun 15

Strong passwords and two-factor authentication are no match for simple social engineering it appears, with security vendor Symantec warning of a new password recovery scam tricking users in to handing over email account access.

The newly discovered scam allows attackers to bypass two-factor authentication by using the password recovery feature offered by many email providers, which enables users who have forgotten their password to gain access to the account by, among other options, having a verification code sent to their mobile phone.

The attacker then follows up with a text – disguised as the email provider having detected ‘unusual activity’ on the account – requesting the code.

Believing the message is legitimate, the victim unwittingly gives the scammer access to their email account.

Once the cybercriminal has gained access to the email account, they can add an alternate email to the account set to ensure they receive copies of all emails.

Symantec says it has seen an increase in this type of spear-phishing attack targeting mobile users with the majority of cases it observed affecting Gmail, Hotmail and Yahoo users.

Symantec principal research engineer Slawomir Grzonkowski says the social engineering attack is ‘very convincing’.

“We’ve already confirmed that people are falling for it,” Gronkowski says.

“To pull off the attack, the bad guys need to know the target’s email address and mobile number, however these can be obtained without much effort.”

Gronkowski says attackers have also been observed interacting with their victims when the verification code doesn’t work, by sending additional text messages.

“The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers,” Gronkowski says.

“They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals.”

He says the simple yet effective attack method is significantly more economical than traditional spear-phishing, where an attacker would need to register a domain and set up a phishing site.

“In this case, the only cost to the bad guys is an SMS message.

“This method is also more difficult to detect, as it would have to be done by the user’s mobile software or by the mobile carrier.”

Grzonkowski is urging users to be suspicious of SMS messages asking about verification codes, especially if they didn’t request one.

“If uncertain about an unexpected request, users can check with their email provider to confirm if the message is legitimate,” Grzonkowski says.

“Legitimate messages from password recovery services will simply tell you the vertification code and will not ask you to respond in any way.”

HPE promotes 'circular economy' for end-of-use tech
HPE is planning to show businesses worldwide that throwing old tech and assets into landfill is not the best option when it comes to end-of-use disposal.
This could be the future of ridesharing
When you hear the words ‘driverless vehicle technology’, the company Bosch may not immediately spring to mind.
2019 threat landscape predictions - Proofpoint
Proofpoint researchers have looked ahead at the trends and events likely to shape the threat landscape in the year to come.
InternetNZ welcomes Govt's 99.8% broadband coverage plan
The additional coverage will roll out over the next four years as part of the Rural Broadband Initiative phase two/Mobile Black Spots Fund (RBI2/MBSF) programme expansion.
Commerce Commission report shows fibre is hot on the heels of copper
The report shows that as of 30 September 2018 there were 668,850 households and businesses connected to fibre, an increase of 45% from 2017.
Dr Ryan Ko steps down as head of Cybersecurity Researchers of Waikato
Dr Ko is off to Australia to become the University of Queensland’s UQ Cyber Security chair and director.
Businesses in APAC are ahead of the global digital transformation game
“And it’s more about people and culture - about change management - along with investing in the technology.”
HubSpot announces fund for 'customer first' startups
HubSpot is pouring US$30 million (NZ$40 million) into a new fund to support startups that demonstrate ‘customer first’ approach of not only growing bigger, but growing better.