Those clever hackers are at it again. They have figured out a way to get around two step verification on Gmail and Yahoo accounts. They are using fake alerts to lure their victims into giving up verification codes.
The scam works like this. First you receive an email saying your account may have been compromised. The email includes a button to take you to your account to check its activity. However, when you click the button you are sent to the hackers web page which looks like an official login page. When you enter your password another fake web page appears asking for a verification code. All of this seems perfectly normal as the pages look just like the real thing.
Unfortunately, the hacker has recorded your login credentials. They then use those credentials to login to the actual account website which generates a verification code that is sent to your phone. You receive the code seconds after entering your credentials, so you think nothing of it. You enter the verification code into the fake website. The code is recorded by the hackers and they enter it on the real two step verification page. To keep you from getting suspicious, you are sent to another fake web page asking you to change your password. Once you “change your password” you are redirected to a real account web page. They now have access to your account and you are unaware something is amiss.
How do you protect against this type of attack? Don’t use links in emails to verify possible account compromises. Instead use a bookmark or search result to visit the account website and check the security status or change your password that way.
Two step verification keeps criminals from accessing your account if your password is compromised. It is a great way to add an added level of security to your accounts. However, enterprising criminals have found a way around it.
How did they do it? Is there some back door that they found? Have they created a new brute force hack technique? Nope. They just ask for the verification code. Low tech social engineering strikes again.
Here is how it works. They send you a text that looks like it comes from Google notifying you of a password reset. If you don’t want your password reset, you are instructed to text the word STOP. Once you do, you are asked to text 822 back to be sent a verification code to stop the password reset. Once you receive the verification code, they ask you to text them the code back to confirm that you don’t want the password reset. Pretty clever huh?
Of course what is happening is they are trying to get into your account but can’t because they don’t have the verification code. By playing the stop the password reset game they are hoping to catch you off guard so you just sent them the code.
For the record, no one will ask you if you don’t want to do something with your account. As soon as someone asks you for confirmation to NOT do something, you know the jig is up. This is just another reminder that we have to read our texts and emails carefully and question anything that seems odd. The criminals count on you to react without thinking. Stop them in their tracks, think before you react.
It seems like every day, we hear about a new security breach. Yahoo, Adobe, Ashley Madison; all breached leaving their account holders feeling violated and wondering if their data or identify are safe. To make matters worse these breaches are often not identified until months or years after the attack, giving criminals plenty of time to capitalize on the stolen information. Even if you have a strong password, it cannot protect you if your account provider has its user’s login credentials stolen.
As mentioned in a previous post, many account providers are now offering two step verification. How does it work? You set up the service by giving them your cell phone number. The next time you login you are asked for your password and then an verification code that is texted to your phone. Worried about losing your phone? You can print off backup codes or give them an alternative cell phone number.
Once two step verification is enabled, if a cyber criminal tries to login to your account you will receive a text with an verification code. Not only does it keep the criminal from logging in to your account, it also alerts you that your login credentials have been compromised and that you need to change your password.
ITS highly recommends that you enable two step verification on all your accounts that offer it, especially on your Google account. If you are a user who has access to sensitive data or admin access, our recommendation is even stronger. To make it as easy as possible to enable it, we have created a lovely step by step document that gives clear instructions. We also encourage you to call the Service Desk if you wish to enable it but are uncomfortable doing it on your own.
Cyber criminals are becoming better and better at hacking passwords. One way to fight back is with two factor authentication. To learn more, watch the video.
What to learn how to step up two factor authentication on your google account? Check out this link.