Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
2/20/2013
08:47 AM
David Schwartzberg
David Schwartzberg
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Calling?

Microsoft appears proactive by calling its end users to ensure they are applying the latest security patches. Or could it be a social engineering scam?

One weekday evening, the telephone rings unexpectedly. Brenton, a Sophos strategic account executive, pulls himself away from graduate school reading to see who could be calling. The caller ID was unhelpful as it usually is when it's being masked.

As it turns out, the caller identifies himself as a representative from Microsoft's Windows Technical Team. Brenton's security immune system kicks in, and he thinks to himself, "Why would Microsoft Technical Support call me at home?"

Fact is, Microsoft wouldn't unless it's related to its botnet takedown effort. An unsolicited call of such nature would be from a person working for your Internet service provider (ISP) with whom you can verify you are already a customer.

Microsoft's Safety & Security Center is very clear about its position on unsolicited communications.

Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.

Brenton is fortunate enough to have had the user training we wish everyone using a computer would receive. The faux Microsoft Technician was quite convincing as a cybercriminal, but not enough to get Brenton to believe his family computer was infected with malware that was "... so deadly that no antivirus software was able to detect or clean it."

Come on? SRLY?

The very patient and very fake technician asked Brenton to open the Windows 'Run' dialog box and type in 'eventvwr.' He pointed out some Windows errors and alerts over the projecting background noises of an apparently overpopulated call center of same script readers. The Event Viewer log entries recorded are from Brenton's heavily used family computer, which made it much more believable.

Sensing something was amiss; Brenton challenged the phony technician that he wasn't with Microsoft. He asked the wrongdoer to verify his full name and home address, and the fake technician quickly validated both items! That was when the attack started to take on some strong social engineering.

A skeptical, less trained person at this point would start to lower his guard because the fraudster is demonstrating an expertise and pre-existing knowledge of a customer needing service.

According to Brenton, "When he realized I didn't believe him, he stated in a frustrated manner, 'I am with Microsoft and am trying to help you. If you don't want my help, I can just hang up now.'"

Most people need help with their computers, mainly because they think of it as toaster, and may have a good chance of being infected with malware. The social engineer would hope that taking away help or a critical service would put the victim in a more submissive role, thereby lowering their guard even further.

Once you let your guard down because the facts have been validated, most people start convincing themselves that they can begin to slightly trust the criminal on the phone. This is what the criminals are hoping for because now their victim is more willing to comply with their request to install Ammyy remote control software.

To be fair, Ammyy is a legitimate software development company aware of this issue and has an interest to protect its users from cybercriminals.

Whenever an unauthenticated person on the telephone suggests surfing to an unfamiliar website, the best thing to do is nothing. Whenever an unverified person on the telephone asks for personally identifiable information or financial information, the best thing to do is hang up. Don't even say goodbye.

The next stages of the attack would have been to remotely access Brenton's computer, disable any security software, and collect a credit card number to charge for the "service." Brenton didn't let things get that far -- he made up an excuse to get off the telephone and get the scienter's name (which he claimed was Gould), his telephone number, and a fake employee ID number.

Brenton provided me with the telephone number, which led me to an outgoing message for some other folks named Rick and Sue. A Google search on the telephone number resulted it referencing an "M Gould," thus making the information more confusing.

That is where this failed attempt to steal from innocent folks such as you terminates.

Fortunately for Brenton, he talks about security on a daily basis and has been trained to pick up the subtle signs of social engineering. Not everyone is as fortunate and needs to read more real life examples of how to be become preyed upon.

Brenton's not becoming Gould's next victim is clearly a testament that user security training is effective. Make sure your users are trained to be a little suspicious and have a healthy paranoia when unsolicited individuals are asking for too much information.

This phony Microsoft Technical Support attack isn't new. The cybercriminals continue to execute this scam because they are successful. In some instances, they are able to part $500 from unsuspecting individuals.

Don't let someone you know become a cybercriminal's next source of revenue.

If you want to learn more about social engineering techniques without becoming one, Social-Engineer.org provides a wealth of information for anyone looking to enhance his preparedness when an attack is in execution.

No security, no privacy. Know security, know privacy.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter @DSchwartzberg David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.