The Other Engineering: Social Engineering

Last night I was interviewed by Jasmine Huda on St. Louis KMOV-TV Channel 4 news about a scam used to steal information from PCs.  The attackers are calling random people and claiming to be from Microsoft Technical Support.  They say they received an error report from their computer and have found a problem that they will help them fix over the phone.  Many PC users see those send error report dialog boxes after a crash, and often click to send the report.  Of course, the scammers did not see those reports – they go directly to Microsoft who treats their content confidentially.  In addition, if you think about it, does your PC know your phone number?

This seems to be a recent report of this in Denver, Colorado, although you can find variants of this scam all over the world and over a few year period, such as this one in the UK.

This is an example of the other engineering – social engineering.  Social engineering is a confidence game of tricking someone into sharing their computer password or installing malware on their computer or visiting malicious websites.  Unfortunately, it is all too easy, especially if they have a small amount of information (or a lucky guess, such as that you recently clicked on a send error report message).

For a complete analysis of social engineering, I’d recommend Kevin Mitnick’s The Art of Deception.  Or, to read his incredible real-life account of how he used social engineering to take over telephone networks, try Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.

Everyone should be aware of social engineering and how to protect themselves from it.  The most important thing is to never give out information or access to your computer to someone who calls you, even if they sound legitimate.  If you think it really is Microsoft calling you, or your bank, or your credit card company, then ask for their case number, hangup, then lookup the phone number of the business or bank and call them back at that number.  (Note that you can’t ask them for their phone number or call the number shown on Caller ID – you can’t trust that information either, and some attackers can even working have toll free numbers).

I do hope, however, that people don’t stop sending those error reports.  I’ve heard from my friends who are software developers that these reports are a goldmine for them in terms of fixing bugs and improving their software.

, , , , , , , ,

  1. #1 by Brendan Minish on July 29, 2012 - 1:56 am

    I am the CTO for an ISP and we have a fair few of VoIP numbers that we use for our own operations, here in Ireland these numbers are in ranges that tally well with VoIP providers and if one does some simple analysis these ranges can be worked out on an area code basis and separated from land-line provider number ranges.
    I have had a lot of these calls to our VoIP numbers and almost none to our ISDN based numbers so it seems that they are attempting to narrow down targets to those who are likely to have computers and reasonable quality broadband.

    On one occasion I spun up a virtual instance of Windows XP and ‘played along’, up to a point..
    The scammers start by getting you to look at the event log where most folks will find something that looks scary, this is then followed up by the scammers looking for remote access to the machine and at that point event logging is turned off, fake AV software is installed and you are pressured into signing up for an expensive ‘support’ contract by means of an unsecured credit card payment, card number, expiry, bank, name, billing address and CIV # is requested. I gave Dummy info and they were quick to tell me that it had not authed.

    Recently the call method has changed a little, you now get a call from a blocked number with a ‘fax tone’ if a human answers you then get a callback a few minutes later from the scammers from either a private number or a number with spoofed CID that would incur substantial premium rates to call back. presumably this is designed to maximize call center efficiency

    Thankfully my Asterisk PBX allows me to place these calls on hold, perhaps it’s time to build a VoIP honeypot to keep them amused.
    Like this one..

    The real issue for us is that when our customers get scammed or end up with malware, they are often left with problems that dramatically degrade their internet performance and as an ISP this leads to support calls and general dissatisfaction with service.

    bminish ei6iz

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: