For several years now we have witnessed a parade of increasingly sophisticated scams involving various types of malicious software. In prior cases the software was typically spread anonymously, rapidly, through thousands of automated servers or through the use of suberfuge. But as the skill and the reach of the attacks has increased, so has the sophistication of the countermeasures deployed in response. This has, of course, led the scammers to employ new approaches. The latest scam is a novel blend of old and new tactics, with a very personal touch.
The newest scam is basically a confidence operation. The perpetrators initiate the con by calling the intended victim (the “mark,” in con parlance) on the phone. Claiming to work for Microsoft, the scammer informs the mark that “unusual activity” has been detected on their computers and that their personal information is at risk. They then ask the mark to allow them to assess the problem and deploy a solution if necessary. Using a remote access connection, the scammer takes over the victim’s computer and carries out what appears to be a rapid series of scans, consisting of a succession of serious-looking screens. Like a good game of three card monte, the action goes too fast to properly follow. The “scans” inevitably confirm the worst. It’s all a show, of course, designed to soften the mark up for the score.
The payoff comes when the scammer convinces the mark to offer up a credit card number to purchase “Microsoft Security Software,” a bargain at only $99. Once the transaction has transpired, the scammer remotely initiates a download of the software. In most cases, the software is a stock or lightly repackaged version of Microsoft Security Essentials, a free program available from the Microsoft website. A smaller percentage of the time, the software is a harmless but bogus security program that makes a great show of protecting the computer, but in fact does nothing. But some of the time the purported security software is accompanied by a hidden a back door program, through which the user’s computer may be remotely accessed at will, monitored, or used as an unwitting distributor of spam or malware.
If the mark gets wise and cancels the transaction, the scammer runs the card anyway, usually for a greater amount than agreed. To further punish the mark, the scammer also activates a program (ironically an optional component of Windows) that blocks access to the computer without a password, a password that only the scammer knows.
Fortunately, this scam is on the radar of banks and merchant services organizations, who will generally reverse the charges on request. Law enforcement agencies at local, state, federal, and trans-national levels have also become aware of this scam and are taking it seriously.
The scammers appear to be targeting their marks carefully. In some cases we have heard about, the operators appear to have detailed knowledge about the mark. For example, the fellow who scammed a friend of mine peppered his sales pitch with references to my friend’s home country (Scotland) and went by the name of “Ian Campbell.” (Oddly, Ian spoke with what was clearly an Indian accent, but no matter.) Presumably the scammers are buying information in bulk from data aggregators, and using that information to customize their sales pitch. Thankfully, so far the scam has mostly been small ball, but that could change.
There is no clear technologically based solution to such a scam because it relies on direct human contact. In this case, as in so many others, the best defense is a good bullshit detector. The takeaway is obvious: If it sounds fishy, it probably is. And once again we are reminded that the Internet is a dangerous place indeed for the naive or overly trusting.