Vulnerabilities / Threats
6/17/2011
02:25 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Microsoft Warns Of Huge Phone Scam

Forget fake antivirus software; PC users are getting calls from fake security experts.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Of all the vulnerabilities that can potentially be exploited by hackers, the most reliable is human gullibility.

Microsoft on Thursday provided further evidence that people are the weakest link in the security chain when it published findings of an ongoing Internet theft campaign that might be described as phone phishing.

Phishing is a way to steal personal information by sending email messages that urge recipients to submit personal data to a website that is masquerading as a legitimate business. Phone phishing involves calling computer users and convincing them to take similar action. In less trendy parlance, it's a plain old scam; you could also call it a social engineering attack, if you wanted to make the attacker sound clever. It's easier on the ego to imagine being duped by a criminal mastermind.

Microsoft says that criminals have been posing as computer security engineers and calling people at home to warn them of a computer security threat. The fraudsters claim they're offering free security evaluations on behalf of recognized companies. It's an approach similar to that taken by fake antivirus software, except with a personal touch rather than an on-screen graphic.

Sadly, this approach works. Based on a 7,000-person commissioned survey conducted in April across the U.S., Canada, Ireland, and the U.K., Microsoft says that 15% of respondents in the four countries had received such calls and that 22% of call recipients, or 3% of total respondents, were deceived. That's a better response rate than direct mail, which gets about a 2% response rate, or spamming, which leads to one sale in 12.5 million messages, according to a 2008 research paper.

"The security of software is improving all the time, but at the same time we are seeing cybercriminals increasingly turn to tactics of deception to trick people in order to steal from them," said Richard Saunders, director of international public & analyst affairs at Microsoft's Trustworthy Computing group, in a statement. "Criminals have proven once again that their ability to innovate new scams is matched by their ruthless pursuit of our money."

Among those duped into permitting remote access to their computers or downloading malicious software, 79% said they had suffered financial loss. Seventeen percent of respondents said that money had been taken from their bank accounts, 19% said their passwords had been compromised, and 17% said they had experienced identity fraud. And some 53% reported ongoing computer problems.

The average amount lost was $875 in the U.S. and $1,560 in Canada, but only $82 in Ireland--a Microsoft spokesperson did not immediately respond to a request to explain the luck of the Irish. About two-thirds of the victims were able to recover almost half of the lost funds.

Microsoft also notes that the average cost of repairing the damage caused to computers as a result of the scam was $1,730 among all four countries and reached $4,800 in the U.S.--a curiously high amount that suggests the best repair option might be tossing an infected PC and buying new hardware for significantly less.

Despite the "huge scale" of this phone campaign, Microsoft expects it to grow further, as the scammers branch out from English to other languages.

Microsoft's advice seems as if it should be obvious: "Do not go to a website, type anything into a computer, install software, or follow any other instruction from someone who calls out of the blue."

In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.