Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Uber drivers new threat: the "passenger" - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Uber drivers new threat: the "passenger"

This week I was told about a scam that surprised me due to the criminals’ creativity. A New York City Uber driver had his Uber account and day’s income was stolen by someone who was supposed to be his next passenger. 
 
While driving towards the passenger’s address, the Uber driver received a phone call from someone pretending to be from Uber. He told the driver that he knew he was on his way to get a passenger but it was necessary for the driver to stop and update his account data. Additionally, the driver should not worry about that run. Uber would compensate him and send another driver to pick up that passenger.

As the phone call came through the Uber app, the driver believed it to really came from Uber. The person on the other end of the call continued: “Please, I have to confirm your identity. Give me your e-mail address and phone number. Next, I’ll send you an SMS message and you’ll tell me the content.”. As expected, the Uber driver received the message and passed on the content.

It turns out that the message was sent by Google as part of the Uber driver's Gmail password recovery procedure. “Ok Sir, thank you for validating your identity. I’ve just updated your registration. Have a nice day.”—said the crook.

Now the criminals proceeded to reset that driver’s Gmail account and Uber password. The reason for that? Uber drivers that reach a certain earnings threshold for a day may ask Uber to transfer that day’s incomings to a pre-paid card number. That was exactly what the fake passenger did.

The crook’s social engineering approach is very cunning in the way that he/she created the privileged information used to entice the victim’s trust. In the end, that is just another way to exploit password recovery or two-factor authentication through SMS messages. Stay tuned.

--
Renato Marinho
Morphus Labs | LinkedInTwitter

Renato

22 Posts
ISC Handler
I dont understand the "the phone call came through the Uber app"
How was that achieved?
Michael

32 Posts Posts
Depending on the city, Uber allows you to contact the driver without revealing your phone number by placing your call through a masking number that is unique to your trip.

"To contact a driver before you've been picked up, tap the driver's name to see contact options. Note that you can only place a call through your app with a phone that has the number registered to your Uber account. If you switch phone numbers, be sure to update your Uber account info." says the Uber help available at [1]. According to the city you choose on the Uber help page top left, the procedures may change.

References:
[1] help.uber.com/h/…
Renato

22 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!