Vulnerabilities / Threats
6/17/2011
02:25 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Microsoft Warns Of Huge Phone Scam

Forget fake antivirus software; PC users are getting calls from fake security experts.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Of all the vulnerabilities that can potentially be exploited by hackers, the most reliable is human gullibility.

Microsoft on Thursday provided further evidence that people are the weakest link in the security chain when it published findings of an ongoing Internet theft campaign that might be described as phone phishing.

Phishing is a way to steal personal information by sending email messages that urge recipients to submit personal data to a website that is masquerading as a legitimate business. Phone phishing involves calling computer users and convincing them to take similar action. In less trendy parlance, it's a plain old scam; you could also call it a social engineering attack, if you wanted to make the attacker sound clever. It's easier on the ego to imagine being duped by a criminal mastermind.

Microsoft says that criminals have been posing as computer security engineers and calling people at home to warn them of a computer security threat. The fraudsters claim they're offering free security evaluations on behalf of recognized companies. It's an approach similar to that taken by fake antivirus software, except with a personal touch rather than an on-screen graphic.

Sadly, this approach works. Based on a 7,000-person commissioned survey conducted in April across the U.S., Canada, Ireland, and the U.K., Microsoft says that 15% of respondents in the four countries had received such calls and that 22% of call recipients, or 3% of total respondents, were deceived. That's a better response rate than direct mail, which gets about a 2% response rate, or spamming, which leads to one sale in 12.5 million messages, according to a 2008 research paper.

"The security of software is improving all the time, but at the same time we are seeing cybercriminals increasingly turn to tactics of deception to trick people in order to steal from them," said Richard Saunders, director of international public & analyst affairs at Microsoft's Trustworthy Computing group, in a statement. "Criminals have proven once again that their ability to innovate new scams is matched by their ruthless pursuit of our money."

Among those duped into permitting remote access to their computers or downloading malicious software, 79% said they had suffered financial loss. Seventeen percent of respondents said that money had been taken from their bank accounts, 19% said their passwords had been compromised, and 17% said they had experienced identity fraud. And some 53% reported ongoing computer problems.

The average amount lost was $875 in the U.S. and $1,560 in Canada, but only $82 in Ireland--a Microsoft spokesperson did not immediately respond to a request to explain the luck of the Irish. About two-thirds of the victims were able to recover almost half of the lost funds.

Microsoft also notes that the average cost of repairing the damage caused to computers as a result of the scam was $1,730 among all four countries and reached $4,800 in the U.S.--a curiously high amount that suggests the best repair option might be tossing an infected PC and buying new hardware for significantly less.

Despite the "huge scale" of this phone campaign, Microsoft expects it to grow further, as the scammers branch out from English to other languages.

Microsoft's advice seems as if it should be obvious: "Do not go to a website, type anything into a computer, install software, or follow any other instruction from someone who calls out of the blue."

In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-2977
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via unspecified vectors.

CVE-2015-2978
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentication and complete a conference-room reservation via unspecified vectors, as demonstrated by an "unintentional reservation."

CVE-2015-2979
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

CVE-2015-4286
Published: 2015-07-29
The web framework in Cisco UCS Central Software 1.3(0.99) allows remote attackers to read arbitrary files via a crafted HTTP request, aka Bug ID CSCuu41377.

CVE-2015-4290
Published: 2015-07-29
The kernel extension in Cisco AnyConnect Secure Mobility Client 4.0(2049) on OS X allows local users to cause a denial of service (panic) via vectors involving contiguous memory locations, aka Bug ID CSCut12255.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!