Vulnerabilities / Threats
6/17/2011
02:25 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Warns Of Huge Phone Scam

Forget fake antivirus software; PC users are getting calls from fake security experts.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Of all the vulnerabilities that can potentially be exploited by hackers, the most reliable is human gullibility.

Microsoft on Thursday provided further evidence that people are the weakest link in the security chain when it published findings of an ongoing Internet theft campaign that might be described as phone phishing.

Phishing is a way to steal personal information by sending email messages that urge recipients to submit personal data to a website that is masquerading as a legitimate business. Phone phishing involves calling computer users and convincing them to take similar action. In less trendy parlance, it's a plain old scam; you could also call it a social engineering attack, if you wanted to make the attacker sound clever. It's easier on the ego to imagine being duped by a criminal mastermind.

Microsoft says that criminals have been posing as computer security engineers and calling people at home to warn them of a computer security threat. The fraudsters claim they're offering free security evaluations on behalf of recognized companies. It's an approach similar to that taken by fake antivirus software, except with a personal touch rather than an on-screen graphic.

Sadly, this approach works. Based on a 7,000-person commissioned survey conducted in April across the U.S., Canada, Ireland, and the U.K., Microsoft says that 15% of respondents in the four countries had received such calls and that 22% of call recipients, or 3% of total respondents, were deceived. That's a better response rate than direct mail, which gets about a 2% response rate, or spamming, which leads to one sale in 12.5 million messages, according to a 2008 research paper.

"The security of software is improving all the time, but at the same time we are seeing cybercriminals increasingly turn to tactics of deception to trick people in order to steal from them," said Richard Saunders, director of international public & analyst affairs at Microsoft's Trustworthy Computing group, in a statement. "Criminals have proven once again that their ability to innovate new scams is matched by their ruthless pursuit of our money."

Among those duped into permitting remote access to their computers or downloading malicious software, 79% said they had suffered financial loss. Seventeen percent of respondents said that money had been taken from their bank accounts, 19% said their passwords had been compromised, and 17% said they had experienced identity fraud. And some 53% reported ongoing computer problems.

The average amount lost was $875 in the U.S. and $1,560 in Canada, but only $82 in Ireland--a Microsoft spokesperson did not immediately respond to a request to explain the luck of the Irish. About two-thirds of the victims were able to recover almost half of the lost funds.

Microsoft also notes that the average cost of repairing the damage caused to computers as a result of the scam was $1,730 among all four countries and reached $4,800 in the U.S.--a curiously high amount that suggests the best repair option might be tossing an infected PC and buying new hardware for significantly less.

Despite the "huge scale" of this phone campaign, Microsoft expects it to grow further, as the scammers branch out from English to other languages.

Microsoft's advice seems as if it should be obvious: "Do not go to a website, type anything into a computer, install software, or follow any other instruction from someone who calls out of the blue."

In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

CVE-2015-0528
Published: 2015-03-29
The RPC daemon in EMC Isilon OneFS 6.5.x and 7.0.x before 7.0.2.13, 7.1.0 before 7.1.0.6, 7.1.1 before 7.1.1.2, and 7.2.0 before 7.2.0.1 allows local users to gain privileges by leveraging an ability to modify system files.

CVE-2015-0996
Published: 2015-03-29
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to obtain sensitive info...

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.