AppSecPersonal

The scammers are getting ever better

Like many, I have parents.  My mother and my father-in-law are still around and kicking, and we have all of the same tech problems with them that everyone has with folks that didn't grow up surrounded by technology.  But in general, despite getting tied up in Windows or bringing up a screen on their phone that "just won't go away," security isn't something we worry about. They are backed up and up to date and have malware protection. They know not to click stuff, and to assume that something that seems too good to be true usually is.

Nonetheless, they both got hit by two different well designed scams last week.

The first was a refund scam, with an interesting path in.  The user uses Gmail, which has pretty good spam filtering. The scammer put their email in a JPEG, with the encoding just messed up enough that the OCR that Google uses couldn't read it, but the image rendering worked.  They "accidentally overcharged the user for McAfee" and wanted to issue a refund.  But to do that they wanted to log into the user's machine.  The user doesn't remember what login service they used, and I had fdisked the machine before I thought to look, but it was one of the usual suspects.

At some point the scammer brought up a PDF on the user's machine to get his personal information since he already had the machine hook line and sinker.  The user, at that point, wondered why they needed his moth's maiden name and whatnot and told the scammer "I'm going to ask my son about this, he's in computer security" and the scammer fell over themselves assuring that everything was fine, he was just here to help, no need to call anyone.  At the point the user disconnected and, well, called me.

The other interesting thing about this attack was the VPN software they installed. That is one I really wish I had written down.  It clearly allowed remote access, though, so not knowing what RAT they may have installed later, I elected to format the machine and start over.  I'll hand it to Microsoft, it's a lot easier to do this now as compared to the old "where did I put those CDs?" we used to have to go through.  I can't help wondering if someone is going to figure out persistence over the Live account profile.  I remember writing POCs for that when they first started it, which prompted my second ever call from Microsoft asking about my research. (This was back in the MS Passport days.)

The second was either well researched, or just lucky.  It was a call with a Spectrum number on the caller ID, offering a discount of almost half for viewers over 70. That's a pretty well structured setup and group of guesses.  The target is a Spectrum subscriber, is over 70, and does screen their calls via the caller ID. (I know that's trivial to spoof, it's just a nice touch.) What really got me about that one was how slick the scammer was getting all of the relevant identity info.  "All I see for your credit card on my end is a 5 followed by stars, can you confirm it for me?" was asked after finding out that it was paid with a Mastercard - which does start with a 5.  The scammer was also prepared to handle back accounts for direct transfer, which I thought was interesting.

The real blow was the "Last four of your social security number" followed at the end of the conversation with "I'll set a new PIN for your account, usually we use the first five of your social security number." That one was very effective; the target didn't even realize they had given their whole SSN until I quizzed them for details later and pointed it out.

Remediation for this attack involved putting fraud alerts on credit reports, which was much harder than it should have been.  I'm about done with the credit bureaus, I'll tell you. However, Experian offered to communicate the fraud alert to the other credit bureaus, which was very nice. The bank was awesome, with a high-quality IR script.

The scammers are still pushing hard, and they are very effectively attacking users that are least able to protect themselves. Not a lot can be done about that, but we can keep sharpening the saw, preparing users as best we can, and having family incident response plans in place.

Mastodon