A new method now used by hackers to deceive mobile phone victims today is Symantec. Some of the most effective frauds are often made in the simplest way, for example when a police officer asks us to hand over the keys to our car.
The average person on the road will probably deliver them without a second thought or doubt. This fraud is characterized by two important elements that make it particularly plausible. These are no more than simplicity but also the fact that people usually trust people who declare police officers or other public authorities. In the same way, cyber criminals act today.
Lately, according to Symantec, there has been an increase in a particular type of phishing attack targeted at mobile phone users. The ultimate goal is ultimately to access the victim's e-mail account. This social engineering attack is very persuasive and users are easily trapped.
For the attack to succeed, hackers need to know the target e-mail address and their mobile phone number, data that can ultimately be obtained without much effort. Attackers use the password retrieval feature provided by many e-mail providers to help them access their accounts, among other options, with a verification code that they receive on their mobile phone (so they are requested and the call number).
The majority of cases reported by Symantec concern Gmail, Hotmail, and Yahoo Mail users. Using Gmail for example, the following steps describe how the attack works:
• The victim user registers the mobile phone number in Gmail so that if he forgets the code, Google sends a text message with a verification code and the user can access his account.
• The bad guy, the hacker, wants to invade the user's account, but he does not know his password. He knows his email address and phone number. The hacker visits the Gmail login page and enters the user's details (but without the password) and then searches for help via the "need help?" Link. This link is used when users have forgotten their input information.
• The system gives the hacker many options, including "Enter the last password you remember" and click on "Confirm password reset on my [MAKE AND MODEL] phone" password on my phone [make and model] but omit these items until it is given the option "Get a verification code on my phone: [MOBILE PHONE NUMBER]"
• The hacker confirms the option for the victim-receiving SMS message to receive the six-digit verification code on his / her phone.
• The user receives a message that says "Your Google Verification code is [SIX-DIGIT CODE]." (The Google verification code is [six-digit code] • The hacker sends the user an SMS message that says something about it: "Google has detected unusual activity on your account. (Google has detected unusual activity in your account. Reply with the password sent to your mobile phone to prevent any unauthorized activity).
• The user believes the message is trustworthy and responds with the verification code.
• The hacker uses the verification code to temporarily get a password and then attacks the e-mail account and its data.
The "communication" of the hacker with his victims does not stop there. Several hackers still send messages to their victims when something goes wrong with the login and codes. Of course the messages are still simple and plausible, so that their victims are persuaded without much effort.
When the attacker now gains access to the user's account, he may, for example, add an alternate email address to the account and thus receive copies of all the messages to be forwarded to that address.
Symantec even states that hackers send a "thank you" message to their victims, which usually takes the form "Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD] ”(Thank you for verifying your Google Account. Your temporary password is [temporary password]”
This makes the phishing attack more and more believable, since the victim considers all correspondence legitimate and believes that his account is now secure.
Cybercriminals of this type of attack do not seem to be focused on financial gain, as is the case with stealing credit card numbers, for example. It seems that they are trying to collect information about their victims and not en masse, but on specific individuals. The way modeTheir method is similar to the methods used by APT groups.
This simple but highly effective attack method is much more cost-effective than traditional spear-phishing attacks, where an attacker has to register a domain and create a phishing site. In this case, the only cost incurred by hackers is the SMS message, and as a method it is very difficult to detect as it should be done by special software for mobile phones or by the respective mobile operator.
Symantec advises users to be suspicious of SMS messages asking for verification codes, especially if they have not asked them for themselves.
If we are not sure of the message we received, we check its origin with our email provider to confirm that the message is legal.
Messages usually sent from services password recovery, they only send the verification code and do not ask the user to respond in any way.
Always remember that even if someone looks like a police officer or superior authority, that does not necessarily mean we have to hand over our data without asking for a corresponding confirmation of his identity.
Check out an interesting Symantec video of how attacks are being carried out on unsuspecting users in practice:
