How to Hack an Email Account with Just a Phone Number – PoC
It's a well-known fact that our email IDs and mobile numbers are no more private and known only to our contacts. Extensive lists containing hundreds of thousands of email addresses and phone numbers are sold everywhere from marketing agencies to groups with criminal motives. A recent research has discovered how these two are being increasingly used in a type of "spear-phishing attack." The goal of this phishing attempt is to hack into email accounts and it is achieved with nothing but mobile numbers.
While we receive many spam messages in both our text box and our email account, many of us know that these are spam and not to be bothered with. However, things get a little murky when some "authority figures" are used to send these same emails or text messages.
For example, you often receive verification code from Google, Facebook and any other service where you have enabled 2-step verification for. The process asks you to enter the texted string onto your browser screen. Cloaks of same organizations are being used in a social engineering attack to convince victims that the messages are really being sent from Google, Hotmail, and other similar services.
Here is how this social engineering password recovery scam works:
- Attacker first gains your email ID and your mobile number.
- Hacker uses password recovery feature offered by email providers; a verification code is sent to your mobile phone.
- In the meanwhile, victim receives a text from an unknown number asking them to verify their account to ensure account security by replying with the verification code (that's sent from the email provider in above step).
- User then receives text that reads something like this, "This is Google. There has been unauthorized activity on your account. Please reply with your verification code."
- If the code doesn't work, victim receives another text with, "We still detect an unauthorized sign-in to your account. Google just re-sent a verification code via text message: Please respond with it to help secure your Google account."
- Once the victim responds with the official verification code, attacker gains access to victim's mail account without detection.
What makes this social engineering phishing attack genius is that this kind of attack requires no hacking skills. Anyone can accomplish it by having your email ID and phone number which makes the attack quite serious in its nature.
The only thing you could do to save yourself from this and all of other similar attacks is to never respond to text messages or even emails that claim to come from Google, Hotmail, Yahoo, and other such services. Remember, all these services only send you information in the form of verification code or anything else. They never ask you to respond back; so don't fall victim to these attacks and always be cautious of spam messages.
Password recovery scam video:
- Discovery by Symantec