This topic contains 1 reply, has 2 voices, and was last updated by usernamedottxt 1 month, 1 week ago.
- July 2, 2020 at 6:30 am #277491
It goes like this:
* Get customer information (DOB, residence, etc)
* Call company and say you are an employee of XYZ company (something like a hospital or national bank) and give them an email address like [email protected] (the email doesn’t exist but the domain has to be the actual domain of the company)
* Company says “we sent you an authentication token, please tell us the token”
* Somehow gain access to token (???), tell them. Use customer information to fill out details and done.
I know someone who does this as their job literally, but he’s secretive because he kind of has a monopoly. I really don’t think he has access to the mobile plan company more than a normal person does.
There’s also no way he has access to multiple different corporate emails.
Unless he’s found some way to crack the tokens (if the company is dumb enough to generate it using people’s names), I’m stumped.
Would be pretty impressive if it was social engineering, because he’s doing this constantly. Maybe he’s registered a similar sounding domain?
- July 2, 2020 at 6:30 am #277492
E-mail is a fucked up protocol. The e-mail that gets shown in the “From: [email protected]” is **not** the e-mail that gets your response when you hit reply. There is a separate thing called the “return path” in the headers of the e-mail that aren’t shown to the user. There are some defenses against “e-mail spoofing” today, but it’s still way more common than anyone would like.
How this 2fa stealing usually works is that they log in to the site as you, you get the 2fa e-mail or text or w/e, then they call you asking you and say they’ve detected suspicious behavior and need you to verify the code you’ve been sent to verify your contact information.
Your ‘friend’ isn’t telling you anything because it’s highly illegal, or he’s just trying to sound cool.
You must be logged in to reply to this topic.