back to article Webmail password reset scam lays groundwork for serious aggro

Symantec has warned about a new password recovery scam that tricks users into handing over webmail account access, possibly setting the stage for more serious security issues. Crooks behind the social engineering ruse need only knowledge of a prospective mark’s email address and associated mobile phone number before attempting …

  1. ZSn

    Obvious

    To be honest anyone that E-mails me requesting *anything* immediately raises my suspicions. In one way though it's good to see that not everyone is as evil minded a bugger as I am.

  2. JP19

    So why

    did you give google or yahoo your phone number in the first place?

    1. David L Webb

      Re: So why

      Because it is part of these companies attempt to provide a type of two factor authentication for password resets.

      The more important question is how did the crooks know the phone number associated with the account. That implies it is a targetted attack where they have had to spend time gathering information on their victim.

      1. 2+2=5 Silver badge
        Joke

        Re: So why

        > The more important question is how did the crooks know the phone number associated with the account.

        The US Office of Personnel Management supplied the necessary information...

      2. LDS Silver badge

        Re: So why

        It i's true, but you're also handling them a perfectly unique identifier across several domains regardless of what account id you chose. That's why mail companies and ads/data harvester ones should be split.

      3. Nigel Whitfield.

        Re: So why

        @ David L Webb

        Don't some services, like Facebook, try to be 'helpful' these days, and share some of that information when they sync address books? You can certainly look people up by phone number, and it's trivial to generate those.

        I don't imagine it would be too hard to get a matched list of email addresses and mobile numbers if you were so minded.

        Remember, it doesn't necessarily have to be a specific target individual. If all you want is *any* account that you can control, you can be pretty broad in your approach. You could, perhaps, run two searches against Facebook - one with a list of mobile numbers, and one with a list of email addresses. Spread out over a bot network, you can match facebook user names with both without triggering too many alerts. Then all you have to do is cross reference the user names from the two sets of results to give you a list of potential victims.

        It wouldn't surprise me at all if the same can be done with other services. And there are likely plenty of other sources of information that, as experience has shown, can be all too leaky if the right staff member has the right amount of money waved at them.

      4. VinceH Silver badge

        Re: So why

        "The more important question is how did the crooks know the phone number associated with the account."

        One example scenario where this happens is because people running small businesses are (necessarily) publishing their phone number and contact email addresses - but using an address@ gmail or whoever instead of an address at their own domain (if they even have a domain name to start with).

    2. David Pollard

      Re: So why

      Because a local supermarket had free PAYG SIM cards and a half-price top-up voucher, so the relative anonymity plus security that this provides was not expensive. The 'phones too can be a little as £10, which isn't too bad for backup.

  3. Ilsa Loving

    How stupid do you have to be?

    Lets see, you get a verification code texted to you, and then some random person texts you, asking you for the code you just got.

    How stupid do you have to be to not be even the slightest bit suspicious?

    1. Anonymous Coward
      Anonymous Coward

      Re: How stupid do you have to be?

      Do never underestimate the potential of mobile phone users to fall for this. With the huge number of mobile device users, the percentage of dimwit individuals translates in a large mass of suckers.

      In case you didn't know (and I'll let Mr. Tim Worstall to explain this in detail), one of the natural resources of capitalism is the sucker born every few minutes (I heard the rate is accelerating these days).

      1. iLuddite

        Re: How stupid do you have to be?

        @AC

        According to Mr. Tim, a resource is unquantified. You have quantified it ("every few minutes"), and therefore it is a reserve.

        1. h4rm0ny

          Re: How stupid do you have to be?

          "According to Mr. Tim, a resource is unquantified. You have quantified it ("every few minutes"), and therefore it is a reserve."

          An acute observation that shows insight! However it remains a resource because whilst the rate may be quantified, it is not time bounded. Unless we have an end time specified for human reproduction, it is still unquantified number of suckers.

          1. iLuddite

            Re:Re: How stupid do you have to be?

            @h4rm0ny

            "However it remains a resource because whilst the rate may be quantified, it is not time bounded."

            A good counterpoint, but infinity has been invoked. Infinity can undermine an otherwise good calculation. The rate IS time bounded, and the time slice can be labeled as "on any given day". The approximate birth rate is known, the W.C. rate, while loose, is known, and simple arithmetic gives an approximate quantity. Granted, ambiguities exist (people can learn, and "you can fool some..."), but all reserve quantities are expressed in rounded numbers and are reserves none the less.

            1. h4rm0ny

              Re: Re:How stupid do you have to be?

              >>"A good counterpoint, but infinity has been invoked. Infinity can undermine an otherwise good calculation. The rate IS time bounded, and the time slice can be labeled as "on any given day". The approximate birth rate is known, the W.C. rate, while loose, is known, and simple arithmetic gives an approximate quantity. Granted, ambiguities exist (people can learn, and "you can fool some..."), but all reserve quantities are expressed in rounded numbers and are reserves none the less."

              All this is mathematically true, but we're talking economic theory which doesn't require mathematical proof. Oops, that came out wrong. ;)

              Anyway, in mineral terms I believe the difference between a resource and a reserve is the former might be extractable for use, and the latter is extractable for use. But we should drop this or we run the risk of Tim Worstall appearing like Bloody Mary. He has the remarkable property of making me feel anti-capitalist, which I dislike because I am one.

              1. iLuddite

                Re: Re:How stupid do you have to be?

                Agreed. I too was worried that TW would drop in to 'clarify'. He has downplayed Keynes and applauded Friedman but was still tagged as a Lefty. He may be looking for revenge.

                However, I do notice that you debated a point and THEN wanted to end the debate. So: it is quantified and immediately available for extraction and is therefore a reserve. I do agree with your point regarding mathematical proof and economic theory. Many national budgets support you.

                There, ended:)

                1. h4rm0ny
                  Pint

                  Re: Re:How stupid do you have to be?

                  >>"However, I do notice that you debated a point and THEN wanted to end the debate."

                  Touché. I had not even noticed I had done that - most unfair. Instead, I am content to end on your counterpoint and amusing note on national economies.

                  Beer on me! :)

    2. Mage Silver badge
      Paris Hilton

      Re: How stupid do you have to be?

      Probably pretty averagely ...

      Why does spam exist?

      Why to fake lottery/estate/money emails exist?

      Because enough people are stupid enough. Some people otherwise seem smart but when presented with text messages or emails seem to switch off brain, or put it in neutral.

    3. LDS Silver badge

      Re: How stupid do you have to be?

      Because you remember the number Google texts you from?

    4. Anonymous Coward
      Anonymous Coward

      Re: How stupid do you have to be?

      I am not at all sure that the "sender" number of the text message is checked in a suitable way by the network carrier. So it could possibly be the same number the code came from, or it could be 900913 (look! says google irhgt there so it must be true, right?)

      Yes, as a recovery process, it wouldn't make sense, but people will not stop to think if you put them into a situation they're not familiar with and give them instruction. If people always stopped to think about everything, nobody would ever take down the network interface they're currently logged in through to that server that's physically hard to get to, the wouldn't clap their hands when airport security asks them to, etc.

    5. Charles 9 Silver badge

      Re: How stupid do you have to be?

      "How stupid do you have to be to not be even the slightest bit suspicious?"

      They could make it more indirect and less suspect by instead saying enter the code at a given site they provide which could be well-disguised and pretty plausible. If they know the mark's e-mail address, they can post the same information that way and make it look even more plausible than the real deal.

      1. Johan Bastiaansen

        Re: How stupid do you have to be?

        I was very suspicious when Google and Microsoft (Windows 8) asked my mobile number. But they insisted and there was no way around it.

        1. John McCallum

          Re: How stupid do you have to be?

          Google keeps asking for my mobile Number but I have no difficulty in ignoring it.(Windows 7)

    6. TeeCee Gold badge
      Facepalm

      Re: How stupid do you have to be?

      As stupid as someone who sends all their money to a 419 scammer?

      As stupid as someone who answers "Yes" when their O/S asks for permission to install that "FREE!!11!! Antiviruz scanner"?

      As stupid as someone who takes it seriously when their Android phone tells them it's been taken over by US hackers and needs them to install this app quickly to fix it?

      As stupid as someone who believes it when their MOT bloke tells them that surface rust on the wiper arms is a failure and sells them a new pair plus fitting at an exorbitant rate[1]?

      As stupid as a woman of 50 on holiday alone who believes that young Turkish barman just fell in love with them and not their passport/money at all?

      Etc ad nauseum........

      Stupidity. Making scumbags richer since the dawn of time.

      [1] I had a good laugh at that one.

  4. Mage Silver badge
    Black Helicopters

    solution is not to avoid registering mobile phone number with webmail providers

    Yes it is. Because many only want that as info to sell, not for security,

    Nor is a useful addition to security the way the some providers are doing it.

    If the crooks know your phone number, then it's pretty useless additional security anyway.

    Also avoid SHARED logon / password schemes, and persuade your providers to disable them. For best security EVERYTHING needs different user & password.

    Put them all in a little address book in a safe place so that the executor of your estate can sort out what you leave behind. Never keep it in your phone/tablet/netbook/laptop case.

    1. Charles 9 Silver badge

      Re: solution is not to avoid registering mobile phone number with webmail providers

      So what alternative is there to out-of-band authentication if you can't trust your mobile as the second factor?

      1. h4rm0ny

        Re: solution is not to avoid registering mobile phone number with webmail providers

        >>"So what alternative is there to out-of-band authentication if you can't trust your mobile as the second factor?"

        Bruce Schneier?

  5. The Original Steve

    Um... Not quite as easy...

    At least Outlook.com, and I suspect others, don't actually tell you the mobile number of the mark. So you'll need three things:

    1. My mobile number

    2. The email address associated with said mobile number

    3. End user stupid enough to send a verification code they haven't requested to someone asking for it that they weren't expecting either.

    This isn't a "hack" or "scam". It's Symantec thinking of any possible way to trick someone. If they are such a moron that you get verification code you haven't asked, AND then ALSO forward it on as well then you're too stupid to take part in society and your computer licence is revoked.

    Bah! 5:18 on a Friday and still in the office. Can you tell?!

    1. SImon Hobson Silver badge

      Re: Um... Not quite as easy...

      But think about all those data leaks we keep hearing about. Just suppose it's nothing more than the basics that gets lifted in a hack (so people go "meh, no credit card numbers"), just think what this scam could do with a list of names, email, and phone. Once you have access to the emails, then you probably have access to the users postal address and lots more just by reading their emails.

  6. Mike 125

    Insane

    Giving up a mobile number to a free webmail provider is about as dumb as it gets. That's obvious.

    As for the scam, it just goes to show that adding complexity doesn't imply better security. It nearly always implies the opposite.

    1. Peter Simpson 1
      Thumb Up

      Re: Insane

      Ask me for a phone number, you're getting my work number.

      Ask me for my email, you're getting my "for orders only" email

      Ask me for my ZIP code when I'm purchasing something at a shop, you're getting my work ZIP (or a random one).

      Any more questions?

      // yes, I actively try to pollute databases...

      1. Charles 9 Silver badge

        Re: Insane

        "Ask me for my ZIP code when I'm purchasing something at a shop, you're getting my work ZIP (or a random one)."

        Then your transaction gets declined because the ZIP doesn't match your home address, which is the one already on file with the credit card company. That's why they ask for the ZIP at gas stations and decline at-the-pump purchases if your ZIP doesn't match (or if you don't have one because it's a foreign card).

  7. Alistair Silver badge
    Coat

    software 2fa

    I have a software token that I can run on windows/linux/android (and to my knowledge IOS) - that is based on a pair of numbers (serial # and a random pin string) that works for *serveral* services I use.

    No, google doesn't get my phone number.

    1. Anonymous Coward
      Anonymous Coward

      Re: software 2fa

      "No, google doesn't get my phone number."

      They probably know it anyway since they can dig through telephone directories, including hidden numbers which the phone companies must know in order to connect you.

      1. LDS Silver badge

        Re: software 2fa

        Even if so, still they need to match them to your Google account and all the related cookies set on your devices - and the best way is to lure you into doing it yourself...

      2. Anonymous Coward
        Anonymous Coward

        @AC - Re: software 2fa

        Maybe you are correct. However, before selling that number Google must confirm it is mine and here lies the difficult part. I'm trained to answer the phone only if the call comes from a very specific short list of contacts. For all the rest, they can always leave me a message and I'll get back to them if it is really important.

  8. Mike Flugennock
    Coffee/keyboard

    Ouch, my brain exploded

    "...And the solution is not to avoid registering mobile phone number with webmail providers, since the process by itself offers security benefits because it underpins two-factor authentication options within, for example, Gmail..."

    Actually, if I understand this scam correctly, the solution IS to not register my mobile phone number with Gmail. I mean, c'mon, man. Think about it.

    I have a backup account on Gmail to fall back on, on those very rare occasions that my own domain's mail server gets the hiccups. Every now and then I'll check it to see if I missed any messages and to clear out the spam, and it seems as if every other time I log on there, Google pesters the shit ouf of me for my mobile number.

    Cripes, Google, do I have the word "dumbass" tattooed on my forehead or something? Facebook didn't get my mobile number when I set up my now practically abandoned account there, and I'm sure as hell not going to be stupid enough to give it to you.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ouch, my brain exploded

      And Yahoo too, they're trying to drive me nuts every time I login to my mail. They're all bastards!

  9. chivo243 Silver badge
    FAIL

    cynical old git

    I have never given any webmail service my mobile number. They persist bastards too, I'm looking at you Yahoo and Google... I rarely use text messaging either, so if I do get a text message, and it's not from the missus or the boss, it usually gets disregarded...

  10. Anonymous Coward
    Anonymous Coward

    "So why did you give google or yahoo your phone number in the first place?"

    #1. Numerous times when I've been travelling Google refused access to my account unless I agreed to provide a cellphone number and accept a verification text... If I refused no access to Gmail!... IS that data blackmail or what! [Disclosure: I dumped Google because of this and the following point]

    #2. My friends ratted on me... At the end of the day your privacy is only as good as the weakest link on your friends list. Why? Because once they have Gmail on their phone, your number, name, email gets sync'd back to their gmail contacts. In-turn your phone gets linked back to your gmail account.

  11. Anonymous Coward
    Anonymous Coward

    Graham Cluely?

    Very fitting name.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019