Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Guest Blog // Selected Security Content Provided By Sophos
What's This?
2/20/2013
08:47 AM
David Schwartzberg
David Schwartzberg
Security Insights
50%
50%

Microsoft Calling?

Microsoft appears proactive by calling its end users to ensure they are applying the latest security patches. Or could it be a social engineering scam?

One weekday evening, the telephone rings unexpectedly. Brenton, a Sophos strategic account executive, pulls himself away from graduate school reading to see who could be calling. The caller ID was unhelpful as it usually is when it's being masked.

As it turns out, the caller identifies himself as a representative from Microsoft's Windows Technical Team. Brenton's security immune system kicks in, and he thinks to himself, "Why would Microsoft Technical Support call me at home?"

Fact is, Microsoft wouldn't unless it's related to its botnet takedown effort. An unsolicited call of such nature would be from a person working for your Internet service provider (ISP) with whom you can verify you are already a customer.

Microsoft's Safety & Security Center is very clear about its position on unsolicited communications.

Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.

Brenton is fortunate enough to have had the user training we wish everyone using a computer would receive. The faux Microsoft Technician was quite convincing as a cybercriminal, but not enough to get Brenton to believe his family computer was infected with malware that was "... so deadly that no antivirus software was able to detect or clean it."

Come on? SRLY?

The very patient and very fake technician asked Brenton to open the Windows 'Run' dialog box and type in 'eventvwr.' He pointed out some Windows errors and alerts over the projecting background noises of an apparently overpopulated call center of same script readers. The Event Viewer log entries recorded are from Brenton's heavily used family computer, which made it much more believable.

Sensing something was amiss; Brenton challenged the phony technician that he wasn't with Microsoft. He asked the wrongdoer to verify his full name and home address, and the fake technician quickly validated both items! That was when the attack started to take on some strong social engineering.

A skeptical, less trained person at this point would start to lower his guard because the fraudster is demonstrating an expertise and pre-existing knowledge of a customer needing service.

According to Brenton, "When he realized I didn't believe him, he stated in a frustrated manner, 'I am with Microsoft and am trying to help you. If you don't want my help, I can just hang up now.'"

Most people need help with their computers, mainly because they think of it as toaster, and may have a good chance of being infected with malware. The social engineer would hope that taking away help or a critical service would put the victim in a more submissive role, thereby lowering their guard even further.

Once you let your guard down because the facts have been validated, most people start convincing themselves that they can begin to slightly trust the criminal on the phone. This is what the criminals are hoping for because now their victim is more willing to comply with their request to install Ammyy remote control software.

To be fair, Ammyy is a legitimate software development company aware of this issue and has an interest to protect its users from cybercriminals.

Whenever an unauthenticated person on the telephone suggests surfing to an unfamiliar website, the best thing to do is nothing. Whenever an unverified person on the telephone asks for personally identifiable information or financial information, the best thing to do is hang up. Don't even say goodbye.

The next stages of the attack would have been to remotely access Brenton's computer, disable any security software, and collect a credit card number to charge for the "service." Brenton didn't let things get that far -- he made up an excuse to get off the telephone and get the scienter's name (which he claimed was Gould), his telephone number, and a fake employee ID number.

Brenton provided me with the telephone number, which led me to an outgoing message for some other folks named Rick and Sue. A Google search on the telephone number resulted it referencing an "M Gould," thus making the information more confusing.

That is where this failed attempt to steal from innocent folks such as you terminates.

Fortunately for Brenton, he talks about security on a daily basis and has been trained to pick up the subtle signs of social engineering. Not everyone is as fortunate and needs to read more real life examples of how to be become preyed upon.

Brenton's not becoming Gould's next victim is clearly a testament that user security training is effective. Make sure your users are trained to be a little suspicious and have a healthy paranoia when unsolicited individuals are asking for too much information.

This phony Microsoft Technical Support attack isn't new. The cybercriminals continue to execute this scam because they are successful. In some instances, they are able to part $500 from unsuspecting individuals.

Don't let someone you know become a cybercriminal's next source of revenue.

If you want to learn more about social engineering techniques without becoming one, Social-Engineer.org provides a wealth of information for anyone looking to enhance his preparedness when an attack is in execution.

No security, no privacy. Know security, know privacy.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter @DSchwartzberg David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.