Full Report
Watch out for schemes where fraudsters trick people into sharing verification codes so they can gain access to their phone numbers
Analysis Summary
# Tool/Technique: Google Voice Account Takeover via Verification Code Scam
## Overview
This details a common social engineering scheme where fraudsters trick victims into providing them with a legitimate Google Voice verification code to gain control of a Google Voice number linked to the victim's phone. This hijacked number is then used by the attacker for subsequent fraud and criminal activities.
## Technical Details
- Type: Technique (Social Engineering leading to Account Access)
- Platform: Primarily targets Google Voice users, relying on victims using mobile/landline devices for code reception.
- Capabilities: Allows attackers to effectively take over a VoIP identity (Google Voice number) for anonymous communication, spoofing, and further scamming.
- First Seen: The underlying mechanism (verification code interception) is long-standing, but the article highlights its prevalence in Google Voice scams through 2023/2024.
## MITRE ATT&CK Mapping
This activity is primarily focused on initial access and credential harvesting via social engineering.
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Less direct, as it involves conversation rather than email, but shares the social engineering vector)
- T1078 - Valid Accounts
- T1078.004 - Cloud Accounts
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials in Files (The verification code acts as a temporary, highly valuable credential)
## Functionality
### Core Capabilities
- **Impersonation:** Fraudsters pose as benign users (e.g., buyers or sellers on platforms like eBay or Craigslist) to establish engagement with the victim.
- **Verification Code Interception:** The primary mechanism involves tricking the victim into reading aloud or forwarding a legitimate Google verification code intended for securing a new Google Voice setup.
- **Account Hijacking:** Upon receiving the code, the fraudster secures the Google Voice account, often removing the victim's linked physical number to obscure their activities.
### Advanced Features
- **Follow-on Fraud:** Once a number is secured, the attacker leverages the Google Voice line for:
- **Vishing Calls:** Making scam calls using the virtual number.
- **Phishing/Smishing:** Embedding the number into mass SMS/email communications.
- **Deepfake potential:** Using the acquired number and potentially deepfake voice software to impersonate authorities or family members.
- **Resale:** Selling the compromised Google Voice number/account to other criminals.
- **Voicemail Misuse:** Recording scam messages using the hijacked voicemail feature.
## Indicators of Compromise
The primary IOCs relate to the *process* rather than persistent malware files.
- File Hashes: N/A (No persistent malware installed)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (The scam relies on legitimate Google infrastructure for code delivery, making real-time blocking difficult without user intervention.)
- Behavioral Indicators:
- Unsolicited requests for authentication codes/verification codes, especially during online marketplace transactions.
- Requests to move communication off the originating platform (e.g., Craigslist chat, eBay messaging) to platforms like WhatsApp or voice calls.
- Persistence and urgency when requesting the code to "prove you are not a bot."
## Associated Threat Actors
This technique is widely used by various low-to-mid-level criminal actors engaged in general online fraud, account takeover, and identity theft. The report specifically notes that Google Voice schemes accounted for 60% of scams reported to the ITRC in the US last year, suggesting broad adoption across the general fraud landscape rather than attribution to specific named APT groups.
## Detection Methods
Detection focuses on user awareness and platform behavioral analysis.
- Signature-based detection: Not applicable as this is a non-malware social engineering tactic.
- Behavioral detection: Monitoring abnormal user behavior when setting up or reconfiguring a Google Voice account (e.g., rapidly linking and then unlinking phone numbers).
- YARA rules: Not applicable.
## Mitigation Strategies
- Prevention measures: Never share any authentication, verification, or two-factor authentication code with a third party, regardless of their stated identity or urgency.
- Hardening recommendations: Verify the legitimacy of any request for verification codes by independently calling the purported organization or using established platform moderation tools instead of relaying the code. If a transaction feels suspicious, cease communication. Utilize multi-factor authentication (MFA) beyond simple SMS codes where possible.
## Related Tools/Techniques
- Vishing (Voice Phishing)
- Smishing (SMS Phishing)
- Account Takeover (ATO) via MFA Bypass
- Identity Theft (when PII is also compromised)