eSentire

UP CLOSE AND PERSONAL: DANCING WITH AN EVENTVWR SCAMMER

Last week, while I was at home, packing luggage for a trip, I received an unsolicited phone call from a company who was concerned about my Internet security.

There was plenty of background chatter (like the noise in a call centre) but their pitch was very clear:

They were calling from Microsoft Security, I had a very serious viral infection on my computer and they were willing to help me fix it.

This scam has been played out many times – there is ample information on the Internet about it (including details of people losing large sums of money), but I’d never been called before. If I have the time, I enjoy engaging telemarketers, and this was more personal than just another duct-cleaning sales pitch, so put them on speakerphone and kept them talking.

What followed was a bifurcated Social Engineering exercise – at times hamfisted and at times heavy-handed:

Their front-level contact (a woman) was reading from a script – they asked me to start up the Microsoft Event Viewer and let me know what I saw. I didn’t have a computer in front of me, but was able to use a bewildered voice and pretend I was working through what they asked me to do (complete with misspellings and run errors to eat up some more of their time).

The front-level contact had practically no computer experience. I tested her by asking a few jokey questions (e.g. “If I have a Mac, where is the Microsoft key?”) and didn’t get a response.

Once I had said that I had successfully pulled up the Event Viewer and saw hundreds of weird message entries, I was passed on to the second-level contact.

Having established trust in me, a very fast-speaking man with a high-pitched and frenetic voice started the hard-sell, ever emphasizing the FUD factor. They were very persuasive, including details such as:

• We’re calling from Windows Support and we want to help you.
• Your computer is so infected that all of your personal data is at risk.
• Your existing Antivirus (pronounced Anti-wirus) isn’t doing the right job.
• For free I could have a year’s worth of full protection for my computer.
• For $149 I could have full protection for the life of the computer.
• If I were to buy a new computer you’d have to pay at least $500 and end up with the same problems anyways.
•  With this new software, it will make my old computer run as fast as a new one.

If I was willing to permit them to connect into my computer via an online Remote Control session, they could solve all of my problems. After leading them on for over half an hour, I started to ask them a few more pointed questions.

• Are you calling from Microsoft? “We are calling from Windows Technical Support.”
• How do you know that I have a problem? (no really good response, just more FUD)
• Can I call you back? “You should deal with this problem right now, we can take care of it for you.”
• Can I go to your website? They gave me a website to a Computer Technology company (I will not list because there’s no real evidence that they had any affiliation).

I was transfered to a third person (with a much deeper voice). I feigned confusion and asked, “Why am I talking to someone else? Where is the other guy?” to which they blamed the octave drop in voice on “the phone lines”. He was less high-strung but kept to the main script. After a few minutes, the previous speaker was back on the line (I’m guessing that he had to take a bio break). I maintained a high level of confusion in my language and tone of voice.

Sensing that I was on the edge of giving in (it must have seemed that they were wearing me down) they kept on the pressure of the hard-sell. I in turn persuaded my mother (who was visiting us that evening) that she should speak to them exclusively in French. I told them that I had to go – this whole conversation was exhausting, and that I had to take care of my mother. They asked if they could talk to my mother; I asked them if they could speak French (“No.”) so I was able to burn another 10 minutes explaining the situation to my mother in faux French (peppering it with words like “courriel” and “l’ordinateur” – pretty much the extent of the computer-related words I could remember from Grade Ten French). She in turn, played along, speaking French back to me, all while trying not to laugh.

By this time, I’d spent over 45 minutes on the phone with them, my luggage was fully packed for my trip and I was ready to terminate the call. I feigned total exhaustion and told them that I was just going to power off my old computer, and buy a new computer – thanked them for their assistance and let them hang up on me. As you can imagine, after spending that much time on the line with me, the second-level contact was quite exasperated with me and told me off for wasting his time (he had been speaking for at least 35 minutes, practically non-stop).

The following week, the Internet was abuzz that Microsoft rescinded Gold Partner Status from Comantra for allegedly performing eventvwr scamming.

It’s truly a great thing that after a few years of this scam being perpetrated, Microsoft has taken some steps to raise the visibility of this problem (especially when a Gold Partner is involved). It’s also important to realize that there must be many other similar scamming companies that have no official affiliation with Microsoft. I don’t know what company wasted 45 minutes of their call time on me. It could have been Comantra, but despite my repeated requests, I never was able to verifiably confirm their company name. But I’m reasonably sure they won’t call back and try to sell me these services again.

This was an obvious scam, but it gave me pause to think about how often even experienced infosec professionals deal with inbound (unsolicited, unauthenticated) calls.

I find it’s a good practice to automatically distrust all inbound phone calls – especially when they’re asking me questions in the guise of a survey or if they mention the name of someone I know. LinkedIn is a great business networking tool – but it’s very easy to use the details for duplicitious means.

I’ve had directory salespeople, headhunters and cold-callers try to “work the company” through Social Engineering techniques markedly similar to those used by my EventViewer scammer – trying to establish instant trust through forced friendliness. I’m at the point where as soon as I answer the phone, unless I’ve met the person face-to-face, I start at “ZERO TRUST”. I won’t answer market surveys, don’t participate in polls, and recommend the same to my friends and family. How can I tell how my responses will be used? For me, trust is earned. We might scoff at the victims of these “obvious scams” but how well-defended are you against more sophisticated scammers?

As an ounce of prevention, talk to your friends and family – especially if you believe they’re susceptible to the Sirens’ call of Fear, Uncertainty and Doubt. Why would you give a stranger unfettered access to your computer, personal information or credit card details?

Author:  Eldon Sprickerhoff, CISSP, CISA, CRMP, CRISC, QSA, Co-founder and EVP Security Services of eSentire