Recently, account takeovers, email hacking, and targeted phishing attacks have been all over the news. Hacks of various politicians, allegedly carried out by Russian hackers, have yielded troves of data. Despite the supposed involvement of state-sponsored agents, some hacks were not reliant on complex zero-day attacks, but involved social engineering unsuspecting victims. These kinds of attacks are increasingly likely to be used against regular people. This recently happened to a friend of mine:

Two weeks ago, an ex-colleague (actually, my officemate at Google way back in 2002) — let’s call him Bob — had his Google account compromised while on vacation in Hawaii. With his primary email account compromised, the attacker could have:

seized control of his Facebook account, which would have allowed infiltration of a number of accounts based on Facebook login.

reset the password and taken control of other accounts (e.g. financial accounts, Twitter) which only require access to the primary email account.

read data stored in Google Cloud

Terminated (and potentially logged into) into GCE instances.

He used a very strong password (which was never used elsewhere), had a completely independent recovery email (from his alma mater), had hard-to-guess security questions, and never logged in on unknown devices. While Bob didn’t have multi-factor authentication enabled, he had also heeded Google’s suggestions to add a backup phone number to bolster security. As we shall see, rather than increasing his account’s security, the backup phone actually made his account substantially less secure.

Don’t do this unless you also turn on MFA!

The attack

On Oct 1, after a 2h absence from his phone, Bob attempted to check his email and discovered he’d been logged out of his gmail account. Upon trying to log back in, Google notified him that his email password had been changed less than an hour ago.

He then tried to make a call and discovered that his phone service was no longer active. Calling Verizon, he discovered that someone (the attacker) had called less than an hour ago and switched his service to an iPhone 4. Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record.

The attacker was able to reset Bob’s password and take control of his account. He or she then removed Bob’s recovery email, changed the password, changed the name on the account, and enabled two factor authentication. (Records show that the account was accessed from IP addresses in Iowa and Germany.)