Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
2/20/2013
08:47 AM
David Schwartzberg
David Schwartzberg
Security Insights
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Microsoft Calling?

Microsoft appears proactive by calling its end users to ensure they are applying the latest security patches. Or could it be a social engineering scam?

One weekday evening, the telephone rings unexpectedly. Brenton, a Sophos strategic account executive, pulls himself away from graduate school reading to see who could be calling. The caller ID was unhelpful as it usually is when it's being masked.

As it turns out, the caller identifies himself as a representative from Microsoft's Windows Technical Team. Brenton's security immune system kicks in, and he thinks to himself, "Why would Microsoft Technical Support call me at home?"

Fact is, Microsoft wouldn't unless it's related to its botnet takedown effort. An unsolicited call of such nature would be from a person working for your Internet service provider (ISP) with whom you can verify you are already a customer.

Microsoft's Safety & Security Center is very clear about its position on unsolicited communications.

Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.

Brenton is fortunate enough to have had the user training we wish everyone using a computer would receive. The faux Microsoft Technician was quite convincing as a cybercriminal, but not enough to get Brenton to believe his family computer was infected with malware that was "... so deadly that no antivirus software was able to detect or clean it."

Come on? SRLY?

The very patient and very fake technician asked Brenton to open the Windows 'Run' dialog box and type in 'eventvwr.' He pointed out some Windows errors and alerts over the projecting background noises of an apparently overpopulated call center of same script readers. The Event Viewer log entries recorded are from Brenton's heavily used family computer, which made it much more believable.

Sensing something was amiss; Brenton challenged the phony technician that he wasn't with Microsoft. He asked the wrongdoer to verify his full name and home address, and the fake technician quickly validated both items! That was when the attack started to take on some strong social engineering.

A skeptical, less trained person at this point would start to lower his guard because the fraudster is demonstrating an expertise and pre-existing knowledge of a customer needing service.

According to Brenton, "When he realized I didn't believe him, he stated in a frustrated manner, 'I am with Microsoft and am trying to help you. If you don't want my help, I can just hang up now.'"

Most people need help with their computers, mainly because they think of it as toaster, and may have a good chance of being infected with malware. The social engineer would hope that taking away help or a critical service would put the victim in a more submissive role, thereby lowering their guard even further.

Once you let your guard down because the facts have been validated, most people start convincing themselves that they can begin to slightly trust the criminal on the phone. This is what the criminals are hoping for because now their victim is more willing to comply with their request to install Ammyy remote control software.

To be fair, Ammyy is a legitimate software development company aware of this issue and has an interest to protect its users from cybercriminals.

Whenever an unauthenticated person on the telephone suggests surfing to an unfamiliar website, the best thing to do is nothing. Whenever an unverified person on the telephone asks for personally identifiable information or financial information, the best thing to do is hang up. Don't even say goodbye.

The next stages of the attack would have been to remotely access Brenton's computer, disable any security software, and collect a credit card number to charge for the "service." Brenton didn't let things get that far -- he made up an excuse to get off the telephone and get the scienter's name (which he claimed was Gould), his telephone number, and a fake employee ID number.

Brenton provided me with the telephone number, which led me to an outgoing message for some other folks named Rick and Sue. A Google search on the telephone number resulted it referencing an "M Gould," thus making the information more confusing.

That is where this failed attempt to steal from innocent folks such as you terminates.

Fortunately for Brenton, he talks about security on a daily basis and has been trained to pick up the subtle signs of social engineering. Not everyone is as fortunate and needs to read more real life examples of how to be become preyed upon.

Brenton's not becoming Gould's next victim is clearly a testament that user security training is effective. Make sure your users are trained to be a little suspicious and have a healthy paranoia when unsolicited individuals are asking for too much information.

This phony Microsoft Technical Support attack isn't new. The cybercriminals continue to execute this scam because they are successful. In some instances, they are able to part $500 from unsuspecting individuals.

Don't let someone you know become a cybercriminal's next source of revenue.

If you want to learn more about social engineering techniques without becoming one, Social-Engineer.org provides a wealth of information for anyone looking to enhance his preparedness when an attack is in execution.

No security, no privacy. Know security, know privacy.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter @DSchwartzberg David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web