The prevalence of hackers makes your job a living nightmare sometimes, especially when you think about how many of your clients could easily fall for their malicious schemes. What if you could catch these cybercriminals in the act? Haven't you ever wanted to scam the scammer, to just tell them "I'm not falling for it, buddy?" One security researcher, Steve Ragan, inadvertently found himself doing just that when he became the target of the latest social engineering attack, receiving a phone call from scammers pretending to be Microsoft tech support.
Just a friendly tip: you may want to block any incoming calls from 999-000-7676.
What Is Social Engineering?
When I first heard the term, I immediately thought of social media app developers, but while social networking sites have enabled the practice of social engineering, the reality is far more sinister and a cybercrime trend you should be watching. Not unique to the world wide web, social engineering involves the exploitation of human behavior to compromise security. Think about some of the most successful bank robberies or break-ins in history. They weren't just spur-of-the-moment decisions.
Ocean's 11 as Social Engineering Case Study
Consider the meticulous planning that went into the heist of the Bellagio casino in the now iconic movie, "Ocean's 11." If you haven't seen the 2001 remake of this comedy, featuring an all-star cast including George Clooney, Brad Pitt, and Julia Roberts, re-evaluate your life choices. I won't spoil the movie by giving away whether they pull it off and how or how not, but I will point out that the crew rely on false identities to gain access to the vault containing upwards of $150 million.
So that's not exactly the same as a phishing scheme that tricks victims into supplying their credit card information, but the same strategies are at play, right? During the planning period of the heist, the various robbery recruits perform "recon," studying the daily operations of the casino as well as the behavior and schedules of its staff. Eventually, they cook up an elaborate plan to have Matt Damon's character, Linus, impersonate a gaming commission agent so as to get close to the owner of the casino, the keeper of its sensitive information, and steal the vault access codes. In the movie clip below, he prepares to go undercover.
Do you see what I'm getting at here? Social engineering attacks are carried out when cybercriminals (or any other criminals) pose as credible, trusted authorities to convince their targets to grant them access to senstive data and high-security locations or networks. Sometimes it's not as obvious as someone claiming you've won the lottery and asking you to supply your financial credentials. People have learned to identify these scams over the years so attackers have had to think up new ways to gain trust and take advantage of common concerns. What's one thing we all have little patience for and indeed, something your clients can't afford to suffer from?
Enter: Microsoft Tech Support Scam
After you read this blog post and before you pop in "Ocean's 11," you should really check out the CSO article's firsthand account of the security reporter who turned the tables on scammers pretending to be Microsoft technical support staff. Although Ragan warns against engaging with cybercriminals and urges anybody who receives these calls to hang up immediately, the researcher shares how he played along and recorded the whole exchange to expose the fraudulent party.
When You Answer the Call
Hello, you are receiving this call because your computer is sending bad traffic to the internet. To fix this issue, please press 1 and we'll connect you to a Microsoft support representative.
This was how the call began. Investigative journalism at its finest, Ragan explains how he convinced the representative that his phone was low on battery and asked if she could call back. Meanwhile, he gave her a Google Voice number to call and began recording the conversation when she complied. The call began with the rep pointing to bogus proof that there was a problem and instructing Ragan to download an outdated version of remote connection software called Team Viewer. Again, this is very dangerous and should never be done. When Ragan acquiesced, he expertly disabled her inputs, meaning she could see his desktop, but he maintained full control over the keyboard and mouse.
This is the point at which you'll want to start applauding the guy. Rather than just hang up and report the call, Ragan instead revealed his identity, typing "I am a security researcher, and you've been busted. But nice try! :-)" HAH! Classic, right? To add insult to injury, he also admitted to recording the rep and let her know her scamming days were at an end.
For a better feel for an attacker's script and process, I highly suggest you check out Ragan's recording below! If nothing else, you'll salute him for playing a convincingly clueless computer owner. Although, in my opinion, calling the browser "Internet Ex-Exploiter," while funny, was a bit over-the-top.
A Classic Case of Social Engineering
The Microsoft technical support scam exemplifies the trickery and tactics cybercriminals use in social engineering schemes. First, the fake rep preys on people's general concern of having an infected device. Then, she pretends to be calling on behalf of a household name. You don't have to be a computer whiz to recognize Microsoft's legitimacy and authority. Ragan elaborates:
"Remember, their primary victim is someone who knows the name Microsoft and nothing else. That lack of knowledge is central to the scam's overall success."
He also explains that the evidence the attacker presents could easily be accepted by people who know nothing about computers, the target audience:
"She uses a mix of technical terms and meaningless phrases, but that's because the script she's reading isn't geared towards a person who knows that wires have nothing to do with the fact that Bluetooth Support Service isn't running. It's written to coach a person who would believe what she says without question."
Again, to keep reading about Ragan's support scam bust, check out the original CSO article!
The purpose of the call is to gain access to your system and install malware and malicious antivirus software. Unknowledgeable call recipients don't understand that the scammers are calling to create a serious and costly security issue, NOT to correct an existing vulnerability.
What This Attack and Social Engineering Mean for Your Clients
Are your clients "computer people?" Isn't that why they turn to you as their MSP or IT solution provider - to not have to worry about these pesky security matters? The fact of the matter is that security is everyone's responsibility. Sure, you're remotely monitoring and backing up their networks, but it's the day-to-day human errors in judgment that can lead to bankruptcy-level security breaches. That means you have to educate your clients on the importance of establishing an enforceable security policy, one in which all staff is held accountable. The 2014 US State of Cybercrime Survey by PwC found that:
- 21% of insider threats to security occurred via social engineering attacks
- 27% of these insider threats were created due to violation of IT security policies
Aside from making sure clients have a strong security policy and response plan in place, it's your job to make them tech-savvier users. Say they were to have received this phony call. Would they have known not to trust it? Do they know never to give control of their computer to an unknown third party, even if that caller claims to be from Microsoft Tech Support, Windows Service Center, or the like?
Microsoft has since spoken out, detailing a list of best practices for users and how to respond if you believe you have become the victim of a social engineering attack. Share these tips with your clients!
So is it always a scam when Microsoft calls? According to their website:
"There are some cases where Microsoft will work with your Internet service provider and call you to fix a malware-infected computer—such as during the recent cleanup effort begun in our botnet takedown actions. These calls will be made by someone with whom you can verify you already are a customer. You will never receive a legitimate call from Microsoft or our partners to charge you for computer fixes."
MSPs make critical mistakes too...
By Lily Teplow
By Brian Downey
By Dave LeClair