Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
2/20/2013
08:47 AM
David Schwartzberg
David Schwartzberg
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Calling?

Microsoft appears proactive by calling its end users to ensure they are applying the latest security patches. Or could it be a social engineering scam?

One weekday evening, the telephone rings unexpectedly. Brenton, a Sophos strategic account executive, pulls himself away from graduate school reading to see who could be calling. The caller ID was unhelpful as it usually is when it's being masked.

As it turns out, the caller identifies himself as a representative from Microsoft's Windows Technical Team. Brenton's security immune system kicks in, and he thinks to himself, "Why would Microsoft Technical Support call me at home?"

Fact is, Microsoft wouldn't unless it's related to its botnet takedown effort. An unsolicited call of such nature would be from a person working for your Internet service provider (ISP) with whom you can verify you are already a customer.

Microsoft's Safety & Security Center is very clear about its position on unsolicited communications.

Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.

Brenton is fortunate enough to have had the user training we wish everyone using a computer would receive. The faux Microsoft Technician was quite convincing as a cybercriminal, but not enough to get Brenton to believe his family computer was infected with malware that was "... so deadly that no antivirus software was able to detect or clean it."

Come on? SRLY?

The very patient and very fake technician asked Brenton to open the Windows 'Run' dialog box and type in 'eventvwr.' He pointed out some Windows errors and alerts over the projecting background noises of an apparently overpopulated call center of same script readers. The Event Viewer log entries recorded are from Brenton's heavily used family computer, which made it much more believable.

Sensing something was amiss; Brenton challenged the phony technician that he wasn't with Microsoft. He asked the wrongdoer to verify his full name and home address, and the fake technician quickly validated both items! That was when the attack started to take on some strong social engineering.

A skeptical, less trained person at this point would start to lower his guard because the fraudster is demonstrating an expertise and pre-existing knowledge of a customer needing service.

According to Brenton, "When he realized I didn't believe him, he stated in a frustrated manner, 'I am with Microsoft and am trying to help you. If you don't want my help, I can just hang up now.'"

Most people need help with their computers, mainly because they think of it as toaster, and may have a good chance of being infected with malware. The social engineer would hope that taking away help or a critical service would put the victim in a more submissive role, thereby lowering their guard even further.

Once you let your guard down because the facts have been validated, most people start convincing themselves that they can begin to slightly trust the criminal on the phone. This is what the criminals are hoping for because now their victim is more willing to comply with their request to install Ammyy remote control software.

To be fair, Ammyy is a legitimate software development company aware of this issue and has an interest to protect its users from cybercriminals.

Whenever an unauthenticated person on the telephone suggests surfing to an unfamiliar website, the best thing to do is nothing. Whenever an unverified person on the telephone asks for personally identifiable information or financial information, the best thing to do is hang up. Don't even say goodbye.

The next stages of the attack would have been to remotely access Brenton's computer, disable any security software, and collect a credit card number to charge for the "service." Brenton didn't let things get that far -- he made up an excuse to get off the telephone and get the scienter's name (which he claimed was Gould), his telephone number, and a fake employee ID number.

Brenton provided me with the telephone number, which led me to an outgoing message for some other folks named Rick and Sue. A Google search on the telephone number resulted it referencing an "M Gould," thus making the information more confusing.

That is where this failed attempt to steal from innocent folks such as you terminates.

Fortunately for Brenton, he talks about security on a daily basis and has been trained to pick up the subtle signs of social engineering. Not everyone is as fortunate and needs to read more real life examples of how to be become preyed upon.

Brenton's not becoming Gould's next victim is clearly a testament that user security training is effective. Make sure your users are trained to be a little suspicious and have a healthy paranoia when unsolicited individuals are asking for too much information.

This phony Microsoft Technical Support attack isn't new. The cybercriminals continue to execute this scam because they are successful. In some instances, they are able to part $500 from unsuspecting individuals.

Don't let someone you know become a cybercriminal's next source of revenue.

If you want to learn more about social engineering techniques without becoming one, Social-Engineer.org provides a wealth of information for anyone looking to enhance his preparedness when an attack is in execution.

No security, no privacy. Know security, know privacy.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter @DSchwartzberg David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio