The scam is explained in the following short video made by Symantec.
(I say it’s a short video, and it is a short video at only 2 minutes 17 seconds. But clearly Symantec feels you have the attention span of a goldfish, so they’ve added a funky beat in the background to stop you from dozing off).
For those who can’t stand the background music, here is an explanation of how you can steal an email account, just by knowing your victim’s mobile phone number.
In the below example we will imagine that an attacker is attempting to hack into a Gmail account belonging to a victim called Alice.
Alice registers her mobile phone number with Gmail so that if she ever forgets her password Google will send her an SMS text message containing a rescue verification code so she can access her account.
A bad guy – let’s call him Malcolm – is keen to break into Alice’s account, but doesn’t know her password. However, he does know Alice’s email address and phone number.
So, he visits the Gmail login page and enters Alice’s email address. But Malcolm cannot correctly enter Alice’s password of course (because he doesn’t know it).
So instead he clicks on the “Need help?” link, normally used by legitimate users who have forgotten their passwords.
Rather than choosing one of the other options, Malcolm selects “Get a verification code on my phone: [mobile phone number]” to have an SMS message containing a six digit security code sent to Alice’s mobile phone.
This where things get sneaky.
Because at this point, Malcolm sends Alice a text pretending to be Google, and saying something like:
“Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity.”
Alice, believing that the message to be legitimate, replies with the verification code she has just been sent by Google.
Malcolm can then use the code to set a temporary password and gain control over Alice’s email account.
If Malcolm was keen to not raise suspicion, and continue to see every email that Alice receives for the foreseeable future, then it may be that he will reconfigure her email to automatically forward future messages to an account under his control, and then send an SMS to her containing the newly reset password:
“Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD]”
Even if Alice changes her password at a later date, Malcolm will continue to receive her private email correspondence unless she looks carefully at her account’s settings.
In short – it’s a nasty piece of social engineering which it’s easy to imagine working against many people.
So, what’s the solution?
Well, the simplest advice is to be suspicious of SMS messages that ask you to text back a verification code – in particular if you did not request a verification code in the first place.
However, I wonder how many people when faced with a message that they believe to be from Google or Yahoo would act upon it immediately, with little thinking of the consequences. After all, one of the biggest worries many people might have in this day and age is to be cut off from their email account.
For more details, check out the blog post by Symantec’s Slawomir Grzonkowski.
And for advice on how to better protect your web email account, be sure to listen to this episode of the “Smashing Security” podcast:
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.