Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Guest Blog // Selected Security Content Provided By Sophos
What's This?
2/20/2013
08:47 AM
David Schwartzberg
David Schwartzberg
Security Insights
50%
50%

Microsoft Calling?

Microsoft appears proactive by calling its end users to ensure they are applying the latest security patches. Or could it be a social engineering scam?

One weekday evening, the telephone rings unexpectedly. Brenton, a Sophos strategic account executive, pulls himself away from graduate school reading to see who could be calling. The caller ID was unhelpful as it usually is when it's being masked.

As it turns out, the caller identifies himself as a representative from Microsoft's Windows Technical Team. Brenton's security immune system kicks in, and he thinks to himself, "Why would Microsoft Technical Support call me at home?"

Fact is, Microsoft wouldn't unless it's related to its botnet takedown effort. An unsolicited call of such nature would be from a person working for your Internet service provider (ISP) with whom you can verify you are already a customer.

Microsoft's Safety & Security Center is very clear about its position on unsolicited communications.

Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.

Brenton is fortunate enough to have had the user training we wish everyone using a computer would receive. The faux Microsoft Technician was quite convincing as a cybercriminal, but not enough to get Brenton to believe his family computer was infected with malware that was "... so deadly that no antivirus software was able to detect or clean it."

Come on? SRLY?

The very patient and very fake technician asked Brenton to open the Windows 'Run' dialog box and type in 'eventvwr.' He pointed out some Windows errors and alerts over the projecting background noises of an apparently overpopulated call center of same script readers. The Event Viewer log entries recorded are from Brenton's heavily used family computer, which made it much more believable.

Sensing something was amiss; Brenton challenged the phony technician that he wasn't with Microsoft. He asked the wrongdoer to verify his full name and home address, and the fake technician quickly validated both items! That was when the attack started to take on some strong social engineering.

A skeptical, less trained person at this point would start to lower his guard because the fraudster is demonstrating an expertise and pre-existing knowledge of a customer needing service.

According to Brenton, "When he realized I didn't believe him, he stated in a frustrated manner, 'I am with Microsoft and am trying to help you. If you don't want my help, I can just hang up now.'"

Most people need help with their computers, mainly because they think of it as toaster, and may have a good chance of being infected with malware. The social engineer would hope that taking away help or a critical service would put the victim in a more submissive role, thereby lowering their guard even further.

Once you let your guard down because the facts have been validated, most people start convincing themselves that they can begin to slightly trust the criminal on the phone. This is what the criminals are hoping for because now their victim is more willing to comply with their request to install Ammyy remote control software.

To be fair, Ammyy is a legitimate software development company aware of this issue and has an interest to protect its users from cybercriminals.

Whenever an unauthenticated person on the telephone suggests surfing to an unfamiliar website, the best thing to do is nothing. Whenever an unverified person on the telephone asks for personally identifiable information or financial information, the best thing to do is hang up. Don't even say goodbye.

The next stages of the attack would have been to remotely access Brenton's computer, disable any security software, and collect a credit card number to charge for the "service." Brenton didn't let things get that far -- he made up an excuse to get off the telephone and get the scienter's name (which he claimed was Gould), his telephone number, and a fake employee ID number.

Brenton provided me with the telephone number, which led me to an outgoing message for some other folks named Rick and Sue. A Google search on the telephone number resulted it referencing an "M Gould," thus making the information more confusing.

That is where this failed attempt to steal from innocent folks such as you terminates.

Fortunately for Brenton, he talks about security on a daily basis and has been trained to pick up the subtle signs of social engineering. Not everyone is as fortunate and needs to read more real life examples of how to be become preyed upon.

Brenton's not becoming Gould's next victim is clearly a testament that user security training is effective. Make sure your users are trained to be a little suspicious and have a healthy paranoia when unsolicited individuals are asking for too much information.

This phony Microsoft Technical Support attack isn't new. The cybercriminals continue to execute this scam because they are successful. In some instances, they are able to part $500 from unsuspecting individuals.

Don't let someone you know become a cybercriminal's next source of revenue.

If you want to learn more about social engineering techniques without becoming one, Social-Engineer.org provides a wealth of information for anyone looking to enhance his preparedness when an attack is in execution.

No security, no privacy. Know security, know privacy.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter @DSchwartzberg David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11931
PUBLISHED: 2019-11-14
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prio...
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.