Nearly every one of us has had some sort of social engineering or "Phishing" scam attempted on us and some of us, unfortunately, have even learned the lessons from the scam the hard way. I know how excited I was the first time somebody wanted to share $8M dollars with me from my long lost Uncle Frederick Hobbs IV, heir to the estate of the late Frederick the Great or some other nonsense. I immediately daydreamed about what color the new cool car I would buy with cash would be.
Social engineering scams attempt to psychologically manipulate their victims to hand over confidential and sensitive information, and most of us learned pretty quickly to be cautious when we suspect this type of activity. While working for a large financial institution, I learned just how prevalent these types of attacks were. Our mail servers processed anywhere from 9-15 million bounced e-mails per hour and it was a challenge for our teams to deal with this volume of fraudulent messages – all coming from one of our legitimate e-mail addresses. Today, clever scammers are putting a new face on their attacks. One method is by using call center labor from foreign countries to run call scripts. Criminals and fraudsters are also investing in call robots and low cost voice systems that use the Internet for phone calls and message gateways.
Here’s how this new fraud technique is changing the scams of the past.
My home phone rings. Somebody says they are from Microsoft Security and they are calling because my computer has been sending them alerts for the last 2-3 weeks. They think I might have a virus. They want to help me. Can I go turn my computer on? I play along, as I’m curious to see where this is going, and well, I don’t have a Microsoft based computer, so this should be fun. They wait until I tell them my computer is on and then ask me to look at the event viewer for log files … look for any errors … it’s a virus (they claim). Next, I MUST go to some web site and download their “fix.” This, I can only guess, is the virus that will encrypt my files until I pay them the $300 ransom to get my computer back. I ended the call at this point and called my Phone Service Provider’s CTO and explained what happened. This resulted in a short-term fix while the scammers had to adapt and possibly get new methods.
The next new social engineering scam starts with a text. A message from a service number on my mobile (you know like 123-45) from: (real name of a big bank) with an identification code: 12345678 (some random number set) saying to "Enter online at prompt in password field at login." Within minutes, my cell phone rings from some 877 number. A voice message system plays the following to me:
"This message is an important reminder for (my name).
Recently, somebody attempted to change the password of your account with (name of big bank). A temporary pin was granted on your account so that they may access your account.
If you did not request this temporary activation pin, please call us immediately at (877-some-number) and report it immediately."
My guess is this 877 number is a fraudulent call center just waiting to pounce. They’ll request your social security number, bank account logins, and anything else you would fall for during the "verification process" that we’ve all gotten used to. I pulled out my personal ATM card, called the number on the back and asked the bank if any of this activity really happened. They verified it was not real. After sharing my story, I found out that a lot of people are getting hit by this two pronged social attack.
Are there ways to improve your protection from these attacks? Yes. For your company, just raising awareness among your teams and HR departments about these threats is a step in the right direction. Another tool is detection. This is especially useful for the service providers out there or people using call centers and voice over IP gateways. Service providers who are interested in detecting these kinds of activities may want to look at security solutions that offer custom signatures. Carrier grade equipment that can rapidly detect repeating patterns across different systems is extremely rare to find. Here at Radware, for attack mitigation we pair up the monitoring solution InFlight with the DefensePro system to build signatures for message and call log gateways to identify these kinds of robo-dial systems and text message fraud systems. We have successfully helped many call centers and voice over IP providers to detect these kinds of scams and stop them as they transit the network. Ask your local Radware Team for more information if you are interested in helping to solve these problems on your network!