I have been gone for the past two weeks, first at MAAWG in San Francisco and then out on holidays back in Canada. While I was back in Canada, I stumbled across a new hacking technique.
Since I work with computers, everyone back home who isn’t a techie uses me as free tech support. The day before I left, I was chatting with an older friend of mine when he told me an odd story. He said that he received a phone call purportedly from Microsoft, and even left a call back number. This representative “from” Microsoft said that they were calling them up to take care of a computer problem of theirs. Now, everyone has computer problems these days, but this person was suspicious. They didn’t follow through on it, but it was odd that Microsoft would call them up unsolicited. They left a callback number which gives it an air of legitimacy… but only a bit.
My father explained that unless he called up Microsoft and opened some sort of support ticket, Microsoft would have never made contact with him. This was, in all likelihood, a scam.
I had never heard of this technique before (which is why I say it is a “new” hacking technique; it is new to me but most likely not to many of my readers), but I agreed with my father’s assessment. This was a scam.
As it turned out, this mechanism is not that unusual. I just took a Microsoft security training course on how to protect user data (I literally finished it 10 minutes ago) and they had a bunch of techniques that hackers use – social engineering, SQL injections, and quid quo pro. Huh? That last one was unfamiliar to me. But when I read the description, it said that this was something that hackers to – they impersonate Microsoft and call up a (presumably random) user and work through a random issue with their computer. When they are able to solve it, they have gained the user’s trust. Once they have that, they trick the user into coughing up more information. This is similar to a phishing scam where the user is deceived by a scammer masquerading as a trustworthy entity.
The fact that they had this type of scam in my training indicates that this scam is not new. It has to have been around for a few months, and most likely longer (insofar as it comes to hacking). Therefore, my friend from back in Canada was the target of a quid quo pro attack. However, his skepticism of Microsoft calling up people prevented him from releasing any important information.
It’s good to see that people have a natural suspicion about these things. At the upcoming conference in Virus Bulletin, I have a talk entitled “Practical Cybersecurity” where I will touching on that topic. Maybe we can teach users a thing or two after all.