Uber hacked via basic smishing attack

A smishing attack on Thursday led to a wide range of Uber’s internal systems being breached by a seemingly unaffiliated teenage hacker, it has been claimed.

A report first emerged in The New York Times that the ride-sharing company had been hacked, with the threat actor themselves getting in touch with the publication to allege that he had gained access to internal systems such as Uber’s internal email, cloud storage systems and code repositories through a simple social engineering attack. In a text message sent to an Uber employee, the hacker impersonated an IT worker and convinced them that it was necessary to share an internal password.

As a variant of phishing in which SMS is used to mine targets for sensitive information, smishing is often combined with social engineering tricks for increased effectiveness. Victims may be more easily persuaded to hand over credentials to a supposedly trustworthy source if the attacker makes the situation seem urgent or seems to be suitably authoritative, both of which may have prompted the hacker to claim to be a key IT worker. Two-factor authentication (2FA) is a recommended measure to dull the impact of smishing attacks, and prevent compromised credentials from being used by hackers effectively.

Smishing and social engineering were recently used in sophisticated attacks on Twilio and Marriott. A report from September 2021 revealed that in the first six months of the year, smishing attacks surged 700% more than in the preceding six months.

The hacker claims to be just 18 years old, with self-taught skills in cyber security, and explained that he performed the breach because Uber’s security was especially weak. On Thursday, Uber confirmed that it was subject to a cyber attack through its official Twitter channel, and also stated that it is in dialogue with law enforcement. The company has not offered an in-depth description of the attack.

As part of the breach, the hacker gained administrator control of Uber’s HackerOne account, which it uses to pay white hat hackers bug bounties. The attacker proceeded to leave comments on all active bounty tickets reading “UBER HAS BEEN HACKED (domain admin, aws admin, vsphere admin, gsuite SA)…