This week I was told about a scam that surprised me due to the criminals creativity. A New York City Uber driver had his Uber account and days income was stolen by someone who was supposed to be his next passenger.
While driving towards the passengers address, the Uber driver received a phone call from someone pretending to be from Uber. He told the driver that he knew he was on his way to get a passenger but it was necessary for the driver to stop and update his accountdata. Additionally, the driver should not worry about that run. Uber would compensate him and send another driver to pick up that passenger.
As the phone call came through the Uber app, the driver believed it to really came from Uber. The person on the other end of the call continued: Please, I have to confirm your identity. Give me your e-mail address and phone number. Next, Ill send you an SMS message and youll tell me the content.. As expected, the Uber driver received the message and passed on the content.
It turns out that the message was sent by Google as part of the Uberdrivers Gmail password recovery procedure. Ok Sir, thank you for validating your identity. Ive just updated your registration. Have a nice day.said the crook.
Now the criminals proceeded to reset that drivers Gmail account and Uber password. The reason for that? Uber drivers that reach a certain earnings threshold for a daymay ask Uber to transfer that days incomings to a pre-paid card number. That was exactly what the fake passenger did.
The crooks social engineering approach is very cunning in the way that he/she created the privileged information used to entice the victims trust. In the end, that is just another way to exploit password recovery or two-factor authentication through SMS messages. Stay tuned.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.