Uber drivers new threat: the "passenger", (Mon, Jul 24th)

This week I was told about a scam attack that surprised me due to the criminals creativity. A NYC Uber driver had his Uber account and days incomings stolen by someone who was supposed to be his next passenger.

While driving towards the passengers address, the Uber driver received a phone call from a someone pretending to be from Uber. He told the driver that he knew he was on his way to get a passenger but it was necessary for the driver to stop and update his accounts data. Additionally, the driver should not worry about that run. Uber would compensate him and send another driver for that passenger.

As the phone call came through the Uber app, the driver believed it to really came from Uber. The person on the other end of the call continued: Please, I have to confirm your identity. Give me your e-mail address and phone number. Next, Ill send you a SMS message and youll tell me the content.. As expected, the Uber driver received the message and passed on the content.

It turns out that the message was sent by Google as part of the Ubers driver Gmail password recovery procedure. Ok Sir, thank you for validating your identity. Ive just updated your registration. Have a nice day.said the crook.

Now the criminals proceeded to reset that drivers Gmail account and Uber password. The reason for that? Uber drivers that reach a certain amount of money during a day (a kind of goal) may ask Uber to transfer that days incomings to a given pre-paid card number. That was exactly what the fake passenger did.

The crooks social engeneering approach is very cunning in the way that he/she created the privileged information used to entice the victims trust. In the end, that is just another way to exploit password recovery or two-factor authentication through SMS messages. Stay tuned.

Renato Marinho
Morphus Labs | LinkedIn |Twitter

© SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Article Link: https://isc.sans.edu/diary/rss/22626