Hello, welcome to the Tuesday, July 25th, 2017 edition of the Sandinert Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Washington, D.C.

Renato today had an interesting diary about how Uber drivers are being defrauded via social engineering. A lot of these social

engineering tricks are really what we are seeing being used these days. So even if you're

not an Uber driver not associated with Uber, it may still be interesting to see through

what lengths social engineering attacks go in order to defraud their victim.

The attacker in this case will request a ride via the Uber app. When you request a ride via Uber,

you'll receive contact details for the driver to contact the driver even through the Uber app without having to reveal your own caller ID.

Now in this particular case, the hacker takes advantage of this feature and calls the driver claiming to be an Uber representative.

Because the call will arrive through the Uber

app in this case, the driver somewhat trusts the origin of the call and to further authenticate

the caller will then claim that, well, they of course know what customer the driver is supposed

to pick up. But the attacker will tell them that another

driver will take care of this particular pickup.

They first need to fix that particular driver's account in order for the driver to be properly

credited for their Uber work. So this is where the attack starts for real.

The caller will ask the driver for an email address.

Then to further authenticate the driver, the caller claims that they will send an SMS

message to the driver's phone. What's actually happening now is

that the caller will do a password reset on that email address. Many email services, of course,

will authenticate the password reset via an SMS message. So the caller just asked the driver

for whatever code they received,

will of course acknowledge that this code was correct and then use it in order to reset

...