Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Hand-Cut Paper Silhouette |
| Lockheed Martin Hack Linked to RSA's SecurID Breach »
May 30, 2011
Aggressive Social Engineering Against Consumers
Cyber criminals are getting aggressive with their social engineering tactics.
Val Christopherson said she received a telephone call last Tuesday from a man stating he was with an online security company who was receiving error messages from the computer at her Charleswood home.
“He said he wanted to fix my problem over the phone,” Christopherson said.
She said she was then convinced to go online to a remote access and support website called Teamviewer.com and allow him to connect her computer to his company’s system.
“That was my big mistake,” Christopherson said.
She said the scammers then tried to sell her anti-virus software they would install.
At that point, the 61-year-old Anglican minister became suspicious and eventually broke off the call before unplugging her computer.
Christopherson said she then had to hang up on the same scam artist again, after he quickly called back claiming to be the previous caller’s manager.
Posted on May 30, 2011 at 6:58 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I get one or two of these calls a month, offering to fix my Windows computer.
But it is amazing that even the poor scaling of a phone scam by a *real person* can pay off. The economics are astounding.
I'd love to see some real research n the profits associated with such a scam. There must be value in it.
I got a somewhat different variant recently. I have a work issued credit card from Bank of America. I received a call at work from someone claiming to be from BoA, wanting to make sure that I had received their Very Important Email. I brushed them off with a "nope, haven't gotten it", and they said they'd re-send it and call back in 24 hours.
Alarm bells going off, I checked my spam folder, and sure enough, there was a horribly done, utterly unconvincing "verify your account" style phishing account claiming to be from BoA. Apparently they were able to correlate my name, work email, work telephone, and the fact that I've been issued a BoA credit card, but couldn't be bothered to make the phishing attempt look even vaguely authentic.
This has been going on in Australia for some time now. Not technically illegal and as they are calling from overseas call centres the ACCC and police can't touch them.
Just tell them your computer runs Linux.
This scam is unique in one aspect in that they seem to have outsourced their lead creation to a number of call centers who follow a script and then after pre-qualifying the sucker, hand them off to someone who goes in for the hard sale. The script starts off with a vague IT sounding group saying you have a virus or problem with your computer and you should turn it on. There are a number of counter-scripts around the net if you want to waste their time. I suspect the first caller only gets paid when they pass the call on to the second level.
I only run Linux. If I got a call for my Windows computer, I'd ask for a repair address to ship it.
The only reason good people fall for this sort of scam is for lack of proper computer education. There's still too many people out there that just don't realise that accessing the internet is not a quiet vacation at the Costa Brava seashore, but an adventure trip through the Borneo jungle instead.
Yeah, we've had some customers who've got calls like these, about one every month and a half for the past year. (I work in an Edmonton computer store, repairs.) At least, that's ones who asked us about it because they were suspicious either before or after falling for it. No idea about ones who fell for it and never suspected enough to ask.
The payload varies a bit but the basic beats seem to be:
1) Scammer claims to be from Microsoft, or rarely some other big name like "Norton". Scares person by saying their computer is infected.
2) Scammer convinces person to do something to the computer, typically open the Event Viewer.
3) Scammer shows person something scary, like an error in the event log. (There's ALWAYS at least one error in the Windows event logs.)
4) Scammer claims this is proof of viruses/hacking/etc. and convinces person to download program/give credit card number/both/some other thing to make PC more hackable or collect personal info.
Fairly persistent bastards, too. Most people who've hung up on them were called back within 5 minutes.
Anyway, that seems to be the variant most popular in this corner of the globe. I'm sure other locales have other gimmicks that haven't made it here yet.
"Scammer shows person something scary, like an error in the event log. (There's ALWAYS at least one error in the Windows event logs.) "
I had a similar case recently, although no spammers involved. Client had a problem with some of her software, called the support line for it, they tried to help her reinstall, couldn't. They looked in the Event Viewer, saw all kinds of errors, told her she had a virus. She called me, I came over. No virus, just needed a clean reinstall.
What amused me was the support help told her the Security log had thousands of entries and that usually meant she had a virus. I told her the Windows Security log can easily have thousands of entries if you do any auditing at all.
The Application log did have lots of errors because her previous installation of the product had apparently been corrupted. I called the support line and pointed out the errors and they recommended a reinstall, which I did. That cleaned things up.
If Microsoft and third party software would stop generating stupid "critical errors", it would be better. Even QuickBooks constantly generates stupid "critical errors" that Intuit will assure you aren't "critical" at all.
The industry just has pathetic quality control. Don't even get me started on X58 motherboards that can't detect all the memory installed because of CPU cooler pressure on i7 CPUs or sensitivity to RAM voltages.
The industry wants everything fast and pretty - functional and reliable (let alone secure) aren't even an afterthought any more, they're non-existent.
We've been inundated with these calls in Australia, many of them originating from Indian call centres claiming to be from "Microsoft Windows Support" or or some other Microsoft associated company. Seems to be stuff-all we can about them as a previous commenter said. The best idea I've had is for Microsoft to put a big warning screen in Event Viewer that says "If some guy on the phone is asking you to run this then you're being ripped off"
We get them phoning us here in New Zealand a lot.
My wife & I only run Kubuntu (A Linux kernel based operating system) on our computers and we have tried explaining this to them. All they want to do is get back on their script. I suspect that the callers are not very knowledgeable about the field.
Even swearing at them and calling them ****ing frauds, ****ing thieves and worse didn't deter them. They kept calling back.
After one particularly long call where I kept shouting the thief down and telling her to listen to me whenever she attempted to return to the script ended with her hanging up I seem to have bought myself some respite as they haven't called my phone for over a week but are still hassling my wife's.
The people calling have South Asian accents and the audible drop outs makes it likely they are using Skype or similar Internet phone service.
They are obviously using a phone directory as both my wife and I are in the phone-book under my name and (until they gave up on me) we would get these calls one after the other. They always ask to speak to Mr or Mrs Bruce Clement, never her given name.
I think the economics works like $0.30 for the phone bill, $0.30 (or less) for wages = $0.60 per call vs $400.00 for the scam software ... you can afford a lot of calls and still make a profit.
Of course they would make a lot more money if they stopped calling back the same people over-and-over again ... there must be a lot of other phone numbers out there.
>The only reason good people fall for this sort of scam is for lack of proper computer education.
Personally I think it's equally important that these people just aren't suspicious enough to wonder why somebody's cold-calling them asking them to do something with their computer. My parents for example are not terrifically computer-literate, but I'm sure they'd see through this just as quickly as any other phishing contact, based on general knowledge about con artists.
I agree however that the "your computer is owned and I want to help you fix it" hook likely gets the marks who are suspicious but don't understand the tech, if the con artist can convince them the risk is dire and immediate.
Even then, the smarter course of action would be for the mark to contact an expert they trust to investigate and verify. Which should lead to the education which would protect the mark against both of the above in future.
Dr. Milgram would be proud.
My wife's cell phone was recently getting several calls a day from a 'non profit debt restructuring' program. The only way to make them go away was to finally tell the robot that yes, we wanted more info. We got a call from a local person the next day, who was just getting leads from the automated service. I told him (rather fiercely) that our only debt was a very manageable mortgage, thank you very much, and he made them stop.
I'm not sure I see the difference between "our records show you're drowning in credit card debt!" and "our systems show you have a virus!"
Evolution isn't working fast enough.
@Rich Wilson: "I told him (rather fiercely) that our only debt was a very manageable mortgage, thank you very much, and he made them stop. "
I agree with the "rather fiercely" part, but I don't think I would have revealed anything at all about my financial situation (not even a lie).
I've been regularly receiving these types of calls (they sound like they are coming from India) for nearly three years in Ireland. On one occassion, I even acted sort of interested, asked him to hold on a moment, and then put the phone next to the radio for nearly 15 minutes and the caller was still there at the end. After I hung up telling himI wasn;t intereted, he still called back 2 minutes later!
My sister just got a call like this. She was directed to a website v2serve.com
Whenever anyone phones me, if it becomes clear the call is not genuine,
I hang up immediately without saying anything else at all. When I am
very lucky I am able to determine this
without saying anything at all, but most of the time I can do it having said
at most a handful of monosyllables.
What is the point of saying anything else to these people, let alone having
"long conversations" with them?
I have anonymous call barring turned on, which may have helped.
I know about tarpitting, but I really can't be bothered.
Maybe if I had nothing better to do I'd offer to tell them all about Awari or Shogi or something, but I'd rather re-read
my least favourite Diana Wynne Jones
book than talk to these people.
Years ago I had the ringer of my phone turned to "off" and voicemail message saying "Leave a message if you like and I might notice within a few weeks" but
I can no longer afford that luxury.
I received a call at my home number from someone who identified themselves calling from Microsoft, and told me that my computer was downloading viruses from the internet, and that I should follow his instructions to make my computer safe. It was a painfully obvious phishing attack.
The attack website is ammyy_dot_com. The instructions I was given were to use Microsoft Internet Explorer to go to that site, and it sounded to me like they probably had some good 0-days in place to attack IE. Or perhaps just a library of the many, many known IE attacks.
Dealing with scammers like this should be crowd sourced. Here's one way to turn the tables on a phishing attack, as I expect that fone phishing will be come increasingly prevalent. I suppose you could contact your state attorney general's cyber hotline, but these guys were obviously offshore (Indian accents), so that's probably a response that goes nowhere.
I knew in the first half-second the person was a scammer that had all my publicly available id, and thought, Yea! Here's my chance to be a 419 eater, except that the guy knows who I am. So I acted very concerned, and got as many details as I could: who he said he was, what were the specific instructions, and just basically drew it out.
After I got the website, ammyy_dot_com, a 2-second Google search and whois query showed that this is indeed a scammer site (see Wilders' thread), and whois showed that the domain was purchased through the IANA accredited company namecheap.com. I found out how to notify namecheap's legal people, and received the email below within a few hours of the complaint. Remarkably, no one had apparently done this simple step before, even though the scam warning appears from sites from about.com to yahoo.com from six months ago and beyond.
Bottom line is that it pays to complain: you can take effective action against scammers yourself simply by typing "whois domainname" then, if it's a domain registered by an IANA accredited company, complaining directly to the company. In the whois response, look for something like:
Registration Service Provided By: Namecheap.com
They will of course set up shop somewhere else, but that at least gives a chance to the domain name registration company to contact the legal authorities will all the relevant identification and financial details. And if it pushes them off IANA accredited sites/ips, they become easier to blacklist. Just remember that they of access to ALL your publicly available id, so never give it away that you're a 419 eater trying to pwn them back as you extract as many identifying details as necessary.
@stvs: that domain is still active and the website is still contactable. When did you do this and what did namecheap claim they were doing / going to do about it? (your "email below" didn't get posted...)
I wonder if Australia is a popular target because the inter-company phone call termination charge is so low (IIUC zero) thus making the solicitation calls very cheap.
We've been getting these calls with increasing frequency for the past couple of months. We've had several in the last week. If I have the time to spare when they call, I try to waste as much of their time as possible in the (no doubt vain) hope that enough people will do this to impact the economics of the scam.
My approach is to be pretty much compliant with their requests, but not to explain the context; I have a collection of well over a hundred old 8 bit home computers, and my daily use PC runs Ubuntu. I just do what they ask on the wrong platform. I need to make my Ubuntu desktop behave a bit more like Winders though :)
I managed to record 5 minutes of audio from the last one I played with:
With caller ID I simply don't answer the phone if I don't recognize the name or number. This works most of the time, though my wife did get a telemarketer who had spoofed their caller ID to say Chase.
Anyone who has a legitimate reason to call probably won't spoof their caller ID. Likewise, they'll probably leave a message so we'll return the call.
My home VOIP provider also provides a service where you can log in to their site & block numbers based on your call history. Blocked numbers never ring again so periodically I go in and add repeat offenders to that list.
If you have an Android phone, there are plenty of apps that in realtime can check numbers that aren't in your phonebook against public online phonebooks.
Some of these even keep track of telemarketers, and could easily keep track of scammers' phone numbers (that would make it even more costly since they'd have to get new numbers frequently).
We should probably try to start a campaign like this to these public online phonebook companies so that they all track the scammers.
People who are calling from anonymous numbers would get an even bigger incentive to start calling with their number visible to not get ignored. (Although I'm not sure if we want to completely discourage all use of hiding your phone number.)
Fun idea: Having a soundboard app that you can use in calls. When a scammer calls you could activate a fax sound, some random, crazy Japanese song, a crying baby or whatever.
You would then put the phone in your pocket, and when the scammer hangs up you get a notice.
Recording these calls would be optional, since some people might find it hilarious to listen to what the scammers said.
It would also time the calls from that you activate the app, so you know how long the spammers endured your prank.
I wonder if the scammers got the memo about the TeamViewer exploit..A payload of del C might be a interesting phone conversion :)
I've had these calls a couple of times and know the MO. They usually start with the caller requesting to talk to me by name. I know what it is straight away and I usually say "Oh, hold on, I'll get him now". I go through a pantomime in the back ground of calling someone to the phone and ask the caller to wait.
My record of keeping the caller waiting is 14minutes...
I figure if they are gonna try to social hack me, I'll Denial of Service their call centre...
I get a lot of these calls, usually one every week or so.
When they tell me they have detected a problem on my computer I either ask them which one they mean (I have several), tell them I don't run windows (a lie) or ask them how they've illegally gained access to my PC as they somehow know it's broken (which it isn't).
They usually just hang up, if they don't I just ask them to never call again as I've signed up for the telephone preference service and they're breaking the law by calling me in the first place.
Very irritating and time wasting
This is a group of Indians (East) working out of California. I traced the number (although it was supposed to be private) and looked them up. They have been doing this for what looks like years. They get caught, change their number and start up again. I doubt very much anything can be done. The RCMP wouldn't touch it as it was not in Canada, the local California police weren't interested.
Call centre hoaxers are vulnerable to attack.
In this recorded call I manage to get the operator to run IPCONFIG and reveal her IP address. That's not particularly useful I know, but it does show that scam operators are vulnerable to their own social engineering tactics.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.