Last Updated: 2017-07-24 17:57:00 UTC
by Renato Marinho (Version: 1)
This week I was told about a scam that surprised me due to the criminals’ creativity. A New York City Uber driver had his Uber account and day’s income was stolen by someone who was supposed to be his next passenger.
While driving towards the passenger’s address, the Uber driver received a phone call from someone pretending to be from Uber. He told the driver that he knew he was on his way to get a passenger but it was necessary for the driver to stop and update his account data. Additionally, the driver should not worry about that run. Uber would compensate him and send another driver to pick up that passenger.
As the phone call came through the Uber app, the driver believed it to really came from Uber. The person on the other end of the call continued: “Please, I have to confirm your identity. Give me your e-mail address and phone number. Next, I’ll send you an SMS message and you’ll tell me the content.”. As expected, the Uber driver received the message and passed on the content.
It turns out that the message was sent by Google as part of the Uber driver's Gmail password recovery procedure. “Ok Sir, thank you for validating your identity. I’ve just updated your registration. Have a nice day.”—said the crook.
Now the criminals proceeded to reset that driver’s Gmail account and Uber password. The reason for that? Uber drivers that reach a certain earnings threshold for a day may ask Uber to transfer that day’s incomings to a pre-paid card number. That was exactly what the fake passenger did.
The crook’s social engineering approach is very cunning in the way that he/she created the privileged information used to entice the victim’s trust. In the end, that is just another way to exploit password recovery or two-factor authentication through SMS messages. Stay tuned.