Vulnerabilities / Threats
6/17/2011
02:25 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Warns Of Huge Phone Scam

Forget fake antivirus software; PC users are getting calls from fake security experts.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Of all the vulnerabilities that can potentially be exploited by hackers, the most reliable is human gullibility.

Microsoft on Thursday provided further evidence that people are the weakest link in the security chain when it published findings of an ongoing Internet theft campaign that might be described as phone phishing.

Phishing is a way to steal personal information by sending email messages that urge recipients to submit personal data to a website that is masquerading as a legitimate business. Phone phishing involves calling computer users and convincing them to take similar action. In less trendy parlance, it's a plain old scam; you could also call it a social engineering attack, if you wanted to make the attacker sound clever. It's easier on the ego to imagine being duped by a criminal mastermind.

Microsoft says that criminals have been posing as computer security engineers and calling people at home to warn them of a computer security threat. The fraudsters claim they're offering free security evaluations on behalf of recognized companies. It's an approach similar to that taken by fake antivirus software, except with a personal touch rather than an on-screen graphic.

Sadly, this approach works. Based on a 7,000-person commissioned survey conducted in April across the U.S., Canada, Ireland, and the U.K., Microsoft says that 15% of respondents in the four countries had received such calls and that 22% of call recipients, or 3% of total respondents, were deceived. That's a better response rate than direct mail, which gets about a 2% response rate, or spamming, which leads to one sale in 12.5 million messages, according to a 2008 research paper.

"The security of software is improving all the time, but at the same time we are seeing cybercriminals increasingly turn to tactics of deception to trick people in order to steal from them," said Richard Saunders, director of international public & analyst affairs at Microsoft's Trustworthy Computing group, in a statement. "Criminals have proven once again that their ability to innovate new scams is matched by their ruthless pursuit of our money."

Among those duped into permitting remote access to their computers or downloading malicious software, 79% said they had suffered financial loss. Seventeen percent of respondents said that money had been taken from their bank accounts, 19% said their passwords had been compromised, and 17% said they had experienced identity fraud. And some 53% reported ongoing computer problems.

The average amount lost was $875 in the U.S. and $1,560 in Canada, but only $82 in Ireland--a Microsoft spokesperson did not immediately respond to a request to explain the luck of the Irish. About two-thirds of the victims were able to recover almost half of the lost funds.

Microsoft also notes that the average cost of repairing the damage caused to computers as a result of the scam was $1,730 among all four countries and reached $4,800 in the U.S.--a curiously high amount that suggests the best repair option might be tossing an infected PC and buying new hardware for significantly less.

Despite the "huge scale" of this phone campaign, Microsoft expects it to grow further, as the scammers branch out from English to other languages.

Microsoft's advice seems as if it should be obvious: "Do not go to a website, type anything into a computer, install software, or follow any other instruction from someone who calls out of the blue."

In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1556
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php.

CVE-2014-2008
Published: 2014-09-12
SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter.

CVE-2014-2009
Published: 2014-09-12
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.

CVE-2014-4735
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in MyWebSQL 3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the table parameter to index.php.

CVE-2014-5259
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in cattranslate.php in the CatTranslate JQuery plugin in BlackCat CMS 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant