“Symantec has observed an increase in a “particular” type of
spear-phishing attack targeting mobile users. The purpose of the attack
is to gain access to the victim’s email account.
“This social engineering attack is very convincing and we’ve already
confirmed that people are falling for it,” the security firm said.
To pull off the attack, the bad guys need to know the target’s email
address and mobile number; however, these can be obtained without much
effort. The attackers make use of the password recovery feature offered
by many email providers, which helps users who have forgotten their
passwords gain access to their accounts by, among other options, having a
verification code sent to their mobile phone.
The majority of cases observed affect Gmail, Hotmail, and Yahoo Mail users.
Symantec warns that users should be suspicious of SMS messages asking
about verification codes, especially if they did not request one. If
uncertain about an unexpected request, users can check with their email
provider to confirm if the message is legitimate. Legitimate messages
from password recovery services will simply tell you the verification
code and will not ask you to respond in any way.”