Some of the most effective scams are often very simple; take for example dressing up as a police officer and asking someone to hand over the keys to their car.
The average person on the street would probably hand them over without question and this is why impersonating a police officer is classed as a very serious crime the world over. This scam has two things going for it: its simplicity and the fact that people have an overwhelming tendency to trust figures of authority.
These two qualities work just as well in the world of cybercrime and we recently came across a case that proves just that. Lately we have observed an increase in a particular type of spear-phishing attack targeting mobile users, their privacy and security. The purpose of the attack is to gain access to the victim’s email account. This social engineering attack is very convincing and we’ve already confirmed that people are falling for it.
To pull off the attack, the bad guys need to know the target’s email address and mobile number; however, these can be obtained without much effort. The attackers make use of the password recovery feature offered by many email providers, which helps users who have forgotten their passwords gain access to their accounts by, among other options, having a verification code sent to their mobile phone.
Hackers are compromising accounts with just a text message and a little social engineering. The majority of cases we observed affect Gmail, Hotmail, and Yahoo Mail users. Using Gmail as an example, the following steps describe how the attack works. There is a video that shows you how attackers pull off this attack against unsuspecting users.