Story image

Cybercrims bypassing two-factor authentication with simple txt

18 Jun 2015

Strong passwords and two-factor authentication are no match for simple social engineering it appears, with security vendor Symantec warning of a new password recovery scam tricking users in to handing over email account access.

The newly discovered scam allows attackers to bypass two-factor authentication by using the password recovery feature offered by many email providers, which enables users who have forgotten their password to gain access to the account by, among other options, having a verification code sent to their mobile phone.

The attacker then follows up with a text – disguised as the email provider having detected ‘unusual activity’ on the account – requesting the code.

Believing the message is legitimate, the victim unwittingly gives the scammer access to their email account.

Once the cybercriminal has gained access to the email account, they can add an alternate email to the account set to ensure they receive copies of all emails.

Symantec says it has seen an increase in this type of spear-phishing attack targeting mobile users with the majority of cases it observed affecting Gmail, Hotmail and Yahoo users.

Symantec principal research engineer Slawomir Grzonkowski says the social engineering attack is ‘very convincing’.

“We’ve already confirmed that people are falling for it,” Gronkowski says.

“To pull off the attack, the bad guys need to know the target’s email address and mobile number, however these can be obtained without much effort.”

Gronkowski says attackers have also been observed interacting with their victims when the verification code doesn’t work, by sending additional text messages.

“The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers,” Gronkowski says.

“They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals.”

He says the simple yet effective attack method is significantly more economical than traditional spear-phishing, where an attacker would need to register a domain and set up a phishing site.

“In this case, the only cost to the bad guys is an SMS message.

“This method is also more difficult to detect, as it would have to be done by the user’s mobile software or by the mobile carrier.”

Grzonkowski is urging users to be suspicious of SMS messages asking about verification codes, especially if they didn’t request one.

“If uncertain about an unexpected request, users can check with their email provider to confirm if the message is legitimate,” Grzonkowski says.

“Legitimate messages from password recovery services will simply tell you the vertification code and will not ask you to respond in any way.”

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.