[caption id="" align="alignleft" width="260" caption="Forgot Gmail Password"]
[/caption]
Christopher Mims over at Technology Review was the first one to report on this. A large Gmail security hole could lead to mass harvesting of accounts, as hackers can automate this social engineering trick.
The hack starts with a text to your phone. Something like: "Your entry last month has WON! Goto http://xxxxxx enter your Winning Code: "1122" to claim your FREE $1,000 Best Buy Giftcard!"
The URL contained in the text goes to this website, http://bestbuy.bestgiftcardsforu.com/ which asks for your email address.
He continued with: "But here's how hackers could turn this marketing scheme into a password-harvesting scheme: After users enter their email address, if it's a gmail address, hackers could automatically request that Google send an account verification code to the cell phone of the owner of that Gmail address. This is what Google does when you tell it that you forgot your password -- one of the three options for recovering it is to have a verification code sent to the cell phone number associated with your account.
"In order for the user to claim their "reward" (in this case, a fake $1000 gift card) the site could then direct them to enter the verification code that Google sent to the user's phone. As soon as the site has both a user's Gmail address and that verification code, it's game over -- hackers can use the code to log into that account and immediately change the password, giving them access and locking the user out of their own account."
So again, if you use gmail think before you click when you see a text message that looks too good to be true!
[/caption]Christopher Mims over at Technology Review was the first one to report on this. A large Gmail security hole could lead to mass harvesting of accounts, as hackers can automate this social engineering trick.
The hack starts with a text to your phone. Something like: "Your entry last month has WON! Goto http://xxxxxx enter your Winning Code: "1122" to claim your FREE $1,000 Best Buy Giftcard!"
The URL contained in the text goes to this website, http://bestbuy.bestgiftcardsforu.com/ which asks for your email address.
He continued with: "But here's how hackers could turn this marketing scheme into a password-harvesting scheme: After users enter their email address, if it's a gmail address, hackers could automatically request that Google send an account verification code to the cell phone of the owner of that Gmail address. This is what Google does when you tell it that you forgot your password -- one of the three options for recovering it is to have a verification code sent to the cell phone number associated with your account.
"In order for the user to claim their "reward" (in this case, a fake $1000 gift card) the site could then direct them to enter the verification code that Google sent to the user's phone. As soon as the site has both a user's Gmail address and that verification code, it's game over -- hackers can use the code to log into that account and immediately change the password, giving them access and locking the user out of their own account."
So again, if you use gmail think before you click when you see a text message that looks too good to be true!
