Έχουμε ακούσει για επιθέσεις phishing, αλλά υπάρχει ένα νέο είδος social engineering that uses the mobile phone to trick the victim in a very easy and effective way.
Ένα βίντεο της Symantec εξηγεί ένα νέο τρόπο social engineering που χρησιμοποιούν οι επιτιθέμενοι για να παραβιάσουν κάθε account e-mail.
The idea is simple: if you want to reset someone's password, all you really need is their mobile number.
The anatomy of the attack on the video is quite simple, but it is surprisingly effective:
Send the victim of a text from an unknown number, warning the victim to receive a password to ensure his Google account is secure and asking him to respond with the code to confirm it.
Challenge the Gmail password reset process, which will send a message containing an unlock code to the victim's phone.
The user receives the code we have already reported and will send it back to the attacker
So the attacker can unlock the Gmail account without any problems
The video presents the new concept that would probably be quite effective for too many mobile owners.
If not most, many would probably answer an unknown number simply assuming it is really the company.
The same attack could also be used to bypass services that use auditing ID cardtwo-factor authentication, although it's worth noting that Google sends SMS if this authentication is set up.
The problem with this kind of attack is that no one can stop it. The only measure of protection is to educate users, which will reduce the risk of falling into such traps.
So at some point you get a message from any number asking for your password, confirmation code or any other personal information, you should not answer.
There is no reason to ask you for the above (or any other) information via SMS.
