Some of the most effective scams are often very simple; take for example dressing up as a police officer and asking someone to hand over the keys to their car. The average person on the street would probably hand them over without question and this is why impersonating a police officer is classed as a very serious crime the world over. This scam has two things going for it: its simplicity and the fact that people have an overwhelming tendency to trust figures of authority. These two qualities work just as well in the world of cybercrime and we recently came across a case that proves just that.
Lately we have observed an increase in a particular type of spear-phishing attack targeting mobile users. The purpose of the attack is to gain access to the victim’s email account. This social engineering attack is very convincing and we’ve already confirmed that people are falling for it.
To pull off the attack, the bad guys need to know the target’s email address and mobile number; however, these can be obtained without much effort. The attackers make use of the password recovery feature offered by many email providers, which helps users who have forgotten their passwords gain access to their accounts by, among other options, having a verification code sent to their mobile phone.
The majority of cases we observed affect Gmail, Hotmail, and Yahoo Mail users. Using Gmail as an example, the following steps describe how the attack works.
See the attack in action
We have made a video that shows you how attackers pull off this attack against unsuspecting users.
Figure 1. Click this image to view our video on how the attack works
Description of attack
- Our victim, Alice, registers her mobile phone number with Gmail so that if she forgets her password Google will text her a verification code and she can access her account.
Figure 2. Password recovery setup
- Our bad guy—let’s call him Malroy—wants to get into Alice’s account but doesn’t know her password. He does know Alice’s email address and phone number though. Malroy visits the Gmail login page and enters Alice’s email address and then clicks on the “Need help?” link. This link is used when people have forgotten their login credentials.
Figure 3. First step in password recovery process
Figure 4. Victim’s email address is entered
- Malroy is offered several options, including “Enter the last password you remember” and “Confirm password reset on my [MAKE AND MODEL] phone,” but skips these until he is given the option “Get a verification code on my phone: [MOBILE PHONE NUMBER].”
Figure 5. Attacker chooses to have verification code sent by text message
- Malroy accepts this option and an SMS message with a six-digit verification code is sent to Alice.
- Alice receives a message saying “Your Google Verification code is [SIX-DIGIT CODE].”
- Malroy then sends Alice an SMS message saying something like “Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity."
- Alice, believing that the message is legitimate, replies with the verification code.
- Malroy then uses the code to get a temporary password and gains access to Alice’s email account.
Figure 6. Attacker enters verification code
Figure 7. Ability to reset password is granted
We’ve also observed attackers interacting with their victims when the verification code doesn’t work. The victim will receive a message along the lines of:
“We still detect an unauthorized sign-in to your account. Google just re-sent a verification code via text message: Please respond with it to help secure your Google account”
When the attacker gains access to the account they could for example, among other things, add an alternate email to the account and set it up so that copies of all messages would be forwarded to that address. The temporary password could then be given to the victim and they would have no idea their emails were being sent to the attacker. An SMS would be sent to the victim, saying something like:
“Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD]”
This makes the phishing attack all the more believable. The victim thinks that the correspondence must be legitimate and their account is now secure.
The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers. They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals. The way they operate is similar to the methods used by APT groups.
This simple yet effective attack method is significantly more economical than traditional spear-phishing, where an attacker would need to register a domain and set up a phishing site. In this case, the only cost to the bad guys is an SMS message. This method is also more difficult to detect, as it would have to be done by the user’s mobile software or by the mobile carrier.
The bad guys in this case are not impersonating a police officer but instead are posing as the victim’s email provider. Nevertheless, our overwhelming tendency to trust figures of authority, or an organization in this case, helps criminals carry out this phishing attack.
Users should be suspicious of SMS messages asking about verification codes, especially if they did not request one. If uncertain about an unexpected request, users can check with their email provider to confirm if the message is legitimate. Legitimate messages from password recovery services will simply tell you the verification code and will not ask you to respond in any way. Remember, just because someone looks like a police officer and sounds like a police officer, that doesn’t mean you should hand over your car keys without seeing some ID first.