Today I am sharing an Incident; When I was able to reset the password of a particular account just by calling that guy and how I bluffed that guy to get his OTP.
I tried to get OTP of a Gmail account with a Fake call and wallah.I managed to get the OTP too.
The incident flow was like this:
I was at IGI airport, Delhi and was leaving to take a workshop on cyber security.The flight was delayed by 70mins and there was a gentleman who was sitting next to me who was boarding the same flight.We greeted each other and started a conversation (actually we were talking about online security as i had told him that i am an ethical hacker).He asked me like “Is it possible to hack anyone account without touching there cellphone & what is the easiest way??”.
I asked him to give me a gmail id and cellphone number of any of his friends so that i can show some real hacking LIVE.
Well after getting the cellphone number, I called that guy( call spoofing) and the conversation flow was like this:-
ME: **cellphone ringing**
TARGET: Hello..!!
ME: Am i talking to Mr.XYZ.
TARGET: Yes..!! who’s this??
ME: Hello Mr.XYZ, I am calling you from Google India and Its seems like someone is trying to access your gmail account from Shanghai, China.IS IT YOU??
TARGET: What??NO..NO..I am here at Banglore and I am not accessing that from china:|
ME: Ohh..Ohkkk Mr.XYZ, We will block that user but before that You have to prove yourself
that You are the actual verified owner of this Account.
TARGET: Sure..!!
ME: Well ..Mr.XYZ, I am sending a google verification code from here on the number ending with ********88, Please confirm the verification code to prove your ownership.After that we will block that user from here.
TARGET: OK 😐
ME: **clicked on forgot password link …waiting for response from the TARGET.**
TARGET: Yeaahh,hello..i received the code and the code is 012345.
ME(smiling): Ohhkk..Mr.XYZ, thank you for verifying.Now we will block that unauthorized user.Take care.GOOD DAY.
I disconnect the call, Both me and the guy sitting beside me were Smiling.
This is how after typing the OTP, I was able to reset the Password.
“You can patch a software but you can never patch the human stupidity.”
And that folk was best example of this Quote.
Always remember guys, Company will never ask you about your credentials via any medium, If you are receiving call like this from Companies, Banks or anywhere that’s a REDALERT.
Don’t be Fool and Never ever share your credentials on Phone calls.
Note: This blog is for educational purpose only..!!
Keep Learning..:)
Great sir….., hat’s off
Ur idea is good sir,But what if the target says that “”the number with which I have signed my google account is not the one to which u have called”” and if he say how did u get this number with which I have no connection with Google account??..and what u will do if u are caught up by him😁
I mean the next step
Waiting for ur answer:—ur student @Ethical Hacking class
It’s Social Engineering. Desperate Time Desperate Measures. I will cut the call;)