SMS Password Reset Phishing Used to Compromise Emails
Social engineering is a simple and effective way to compromise user credentials. people are vulnerable and sometime have no ability to prevent some simple attacks. This is related to human capacity so for example memory problem where user have no ability to remember hacking technique.
This gap exist in every company and any user can be the next victim. The way to prevent social engineering attack is by creating a security awareness program and improve mind performance against hacking. company can create a training focused on hacking technique to improve key elements such as memory , creativity and communication. Symantec have published a way for stealing email accounts this is using SMS Password Reset Phishing that looks very simple to perform but I believe this can be very effective with the advanced technology to recover emails accounts.
All what attacker should have is the email address for victim and his personal phone number, hacker will select that the user have lost his password and he need to recover it. the recovery method is using the standard SMS with activation or confirmation code. this code will be sent to victim and attacker will send an SMS Password Reset Phishing to trick user and get this code.
Next the attacker use the code to recover the password and victim will lose access to his email. as an option hacker may add additional email address he use so when victim recover his account back attacker will keep have access to this account any time with the secondary email address.