New password recovery scam hitting Gmail, Outlook and Yahoo Mail users

A simple yet ingenious scam is being used by scammers to compromise accounts of Gmail, Outlook and Yahoo Mail users, Symantec researcher Slawomir Grzonkowski warns.

“To pull off the attack, the bad guys need to know the target’s email address and mobile number; however, these can be obtained without much effort,” he explains.

“The attackers make use of the password recovery feature offered by many email providers, which helps users who have forgotten their passwords gain access to their accounts by, among other options, having a verification code sent to their mobile phone.”

Once the verification code is sent to the legitimate user’s mobile phone, it’s followed by a message by the scammer, saying something like: “Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity.”

The victim sends the verification code to the scammers, and they use it to access the email account. Occasionally, the code is sent too late and doesn’t work anymore, so the scammers reiterate the need for the code to be sent in.

When they finally get access to the email account, they don’t shut the real owner out. Instead, they usually add an alternate email to the account and set it up so that copies of all messages are forwarded to it. Then they change the password, and send it to victim via SMS (“Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD]”) in order to complete the illusion of legitimacy.

“The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers. They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals. The way they operate is similar to the methods used by APT groups,” Grzonkowski pointed out.

It’s likely that they use those email accounts to gain access to other online accounts tied to them.

Users are advised to be suspicious of SMS messages asking about verification codes, especially if they did not request one, and check their authenticity directly with their email provider.