To be honest anyone that E-mails me requesting *anything* immediately raises my suspicions. In one way though it's good to see that not everyone is as evil minded a bugger as I am.
Symantec has warned about a new password recovery scam that tricks users into handing over webmail account access, possibly setting the stage for more serious security issues. Crooks behind the social engineering ruse need only knowledge of a prospective mark’s email address and associated mobile phone number before attempting …
Because it is part of these companies attempt to provide a type of two factor authentication for password resets.
The more important question is how did the crooks know the phone number associated with the account. That implies it is a targetted attack where they have had to spend time gathering information on their victim.
@ David L Webb
Don't some services, like Facebook, try to be 'helpful' these days, and share some of that information when they sync address books? You can certainly look people up by phone number, and it's trivial to generate those.
I don't imagine it would be too hard to get a matched list of email addresses and mobile numbers if you were so minded.
Remember, it doesn't necessarily have to be a specific target individual. If all you want is *any* account that you can control, you can be pretty broad in your approach. You could, perhaps, run two searches against Facebook - one with a list of mobile numbers, and one with a list of email addresses. Spread out over a bot network, you can match facebook user names with both without triggering too many alerts. Then all you have to do is cross reference the user names from the two sets of results to give you a list of potential victims.
It wouldn't surprise me at all if the same can be done with other services. And there are likely plenty of other sources of information that, as experience has shown, can be all too leaky if the right staff member has the right amount of money waved at them.
"The more important question is how did the crooks know the phone number associated with the account."
One example scenario where this happens is because people running small businesses are (necessarily) publishing their phone number and contact email addresses - but using an address@ gmail or whoever instead of an address at their own domain (if they even have a domain name to start with).
Do never underestimate the potential of mobile phone users to fall for this. With the huge number of mobile device users, the percentage of dimwit individuals translates in a large mass of suckers.
In case you didn't know (and I'll let Mr. Tim Worstall to explain this in detail), one of the natural resources of capitalism is the sucker born every few minutes (I heard the rate is accelerating these days).
"According to Mr. Tim, a resource is unquantified. You have quantified it ("every few minutes"), and therefore it is a reserve."
An acute observation that shows insight! However it remains a resource because whilst the rate may be quantified, it is not time bounded. Unless we have an end time specified for human reproduction, it is still unquantified number of suckers.
"However it remains a resource because whilst the rate may be quantified, it is not time bounded."
A good counterpoint, but infinity has been invoked. Infinity can undermine an otherwise good calculation. The rate IS time bounded, and the time slice can be labeled as "on any given day". The approximate birth rate is known, the W.C. rate, while loose, is known, and simple arithmetic gives an approximate quantity. Granted, ambiguities exist (people can learn, and "you can fool some..."), but all reserve quantities are expressed in rounded numbers and are reserves none the less.
>>"A good counterpoint, but infinity has been invoked. Infinity can undermine an otherwise good calculation. The rate IS time bounded, and the time slice can be labeled as "on any given day". The approximate birth rate is known, the W.C. rate, while loose, is known, and simple arithmetic gives an approximate quantity. Granted, ambiguities exist (people can learn, and "you can fool some..."), but all reserve quantities are expressed in rounded numbers and are reserves none the less."
All this is mathematically true, but we're talking economic theory which doesn't require mathematical proof. Oops, that came out wrong. ;)
Anyway, in mineral terms I believe the difference between a resource and a reserve is the former might be extractable for use, and the latter is extractable for use. But we should drop this or we run the risk of Tim Worstall appearing like Bloody Mary. He has the remarkable property of making me feel anti-capitalist, which I dislike because I am one.
Agreed. I too was worried that TW would drop in to 'clarify'. He has downplayed Keynes and applauded Friedman but was still tagged as a Lefty. He may be looking for revenge.
However, I do notice that you debated a point and THEN wanted to end the debate. So: it is quantified and immediately available for extraction and is therefore a reserve. I do agree with your point regarding mathematical proof and economic theory. Many national budgets support you.
Probably pretty averagely ...
Why does spam exist?
Why to fake lottery/estate/money emails exist?
Because enough people are stupid enough. Some people otherwise seem smart but when presented with text messages or emails seem to switch off brain, or put it in neutral.
I am not at all sure that the "sender" number of the text message is checked in a suitable way by the network carrier. So it could possibly be the same number the code came from, or it could be 900913 (look! says google irhgt there so it must be true, right?)
Yes, as a recovery process, it wouldn't make sense, but people will not stop to think if you put them into a situation they're not familiar with and give them instruction. If people always stopped to think about everything, nobody would ever take down the network interface they're currently logged in through to that server that's physically hard to get to, the wouldn't clap their hands when airport security asks them to, etc.
"How stupid do you have to be to not be even the slightest bit suspicious?"
They could make it more indirect and less suspect by instead saying enter the code at a given site they provide which could be well-disguised and pretty plausible. If they know the mark's e-mail address, they can post the same information that way and make it look even more plausible than the real deal.
As stupid as someone who sends all their money to a 419 scammer?
As stupid as someone who answers "Yes" when their O/S asks for permission to install that "FREE!!11!! Antiviruz scanner"?
As stupid as someone who takes it seriously when their Android phone tells them it's been taken over by US hackers and needs them to install this app quickly to fix it?
As stupid as someone who believes it when their MOT bloke tells them that surface rust on the wiper arms is a failure and sells them a new pair plus fitting at an exorbitant rate?
As stupid as a woman of 50 on holiday alone who believes that young Turkish barman just fell in love with them and not their passport/money at all?
Etc ad nauseum........
Stupidity. Making scumbags richer since the dawn of time.
 I had a good laugh at that one.
Yes it is. Because many only want that as info to sell, not for security,
Nor is a useful addition to security the way the some providers are doing it.
If the crooks know your phone number, then it's pretty useless additional security anyway.
Also avoid SHARED logon / password schemes, and persuade your providers to disable them. For best security EVERYTHING needs different user & password.
Put them all in a little address book in a safe place so that the executor of your estate can sort out what you leave behind. Never keep it in your phone/tablet/netbook/laptop case.
At least Outlook.com, and I suspect others, don't actually tell you the mobile number of the mark. So you'll need three things:
1. My mobile number
2. The email address associated with said mobile number
3. End user stupid enough to send a verification code they haven't requested to someone asking for it that they weren't expecting either.
This isn't a "hack" or "scam". It's Symantec thinking of any possible way to trick someone. If they are such a moron that you get verification code you haven't asked, AND then ALSO forward it on as well then you're too stupid to take part in society and your computer licence is revoked.
Bah! 5:18 on a Friday and still in the office. Can you tell?!
But think about all those data leaks we keep hearing about. Just suppose it's nothing more than the basics that gets lifted in a hack (so people go "meh, no credit card numbers"), just think what this scam could do with a list of names, email, and phone. Once you have access to the emails, then you probably have access to the users postal address and lots more just by reading their emails.
Ask me for a phone number, you're getting my work number.
Ask me for my email, you're getting my "for orders only" email
Ask me for my ZIP code when I'm purchasing something at a shop, you're getting my work ZIP (or a random one).
Any more questions?
// yes, I actively try to pollute databases...
"Ask me for my ZIP code when I'm purchasing something at a shop, you're getting my work ZIP (or a random one)."
Then your transaction gets declined because the ZIP doesn't match your home address, which is the one already on file with the credit card company. That's why they ask for the ZIP at gas stations and decline at-the-pump purchases if your ZIP doesn't match (or if you don't have one because it's a foreign card).
Maybe you are correct. However, before selling that number Google must confirm it is mine and here lies the difficult part. I'm trained to answer the phone only if the call comes from a very specific short list of contacts. For all the rest, they can always leave me a message and I'll get back to them if it is really important.
"...And the solution is not to avoid registering mobile phone number with webmail providers, since the process by itself offers security benefits because it underpins two-factor authentication options within, for example, Gmail..."
Actually, if I understand this scam correctly, the solution IS to not register my mobile phone number with Gmail. I mean, c'mon, man. Think about it.
I have a backup account on Gmail to fall back on, on those very rare occasions that my own domain's mail server gets the hiccups. Every now and then I'll check it to see if I missed any messages and to clear out the spam, and it seems as if every other time I log on there, Google pesters the shit ouf of me for my mobile number.
Cripes, Google, do I have the word "dumbass" tattooed on my forehead or something? Facebook didn't get my mobile number when I set up my now practically abandoned account there, and I'm sure as hell not going to be stupid enough to give it to you.
#1. Numerous times when I've been travelling Google refused access to my account unless I agreed to provide a cellphone number and accept a verification text... If I refused no access to Gmail!... IS that data blackmail or what! [Disclosure: I dumped Google because of this and the following point]
#2. My friends ratted on me... At the end of the day your privacy is only as good as the weakest link on your friends list. Why? Because once they have Gmail on their phone, your number, name, email gets sync'd back to their gmail contacts. In-turn your phone gets linked back to your gmail account.
Biting the hand that feeds IT © 1998–2020