Malicous cold calls with high success probability
Introduction
According to a posting 15 November on the blog belonging to the UK based organization Get Safe Online, one in four UK web users have been targeted by so-called cold calls.
Cold calling is performed when someone telephones a person or organization that is not expecting such a call. In many countries this activity is prohibited unless the recipient has accepted to be contacted this way.
The scheme
A malicious cold call performed by a cyber criminal, functions like this:
- Someone (the bad girl) pretending to be e.g. a representative from a Internet Service Provider or a data security organization, calls a random person (or organization).
- She tells that malicious software (for example a virus) has been discovered on the innocent person's computer.
- If needed, she uses different tricks in order to convince the called person that his computer is infected. One example of such a deceit can be to ask the person to open Windows' Event viewer, which almost certainly will show messages/alerts/warnings/errors, which with a little help may be interpreted as scary.
- The next step is to offer to "help" the person who has the allegedly infected computer.
Variants of the following are then used.
- The caller asks to get remote access to the computer in order to "check" it. When this is granted, she installs a fake antimalware program and/or other malware (e.g. a backdoor program). Subsequently this program is started, and shows that the computer is heavily infected by all kinds of dangerous programs (which is not true, of course).
- She then convinces the scared computer owner to buy a version of the (fake) antimalware product in order to be able to clean the computer.
- This purchase is carried out by credit card payment.
The credit card information, and potentially other personal information obtained, may eventually also be sold to other criminal elements, and afterwards used for credit card fraud and identity theft.
The fake antimalware program (or other malware) that is installed, may later update itself and/or download other malicious modules and programs.
Analysis and generalization
It seems unlikely that 25 per cent of web users in the United Kingdom should have been targeted by this type of cold calls. Nevertheless, it is no doubt that this represents a serious problem not only in the UK, but everywhere such a scheme is invoked. Obviously the cold call should be made by someone who speaks the target's native language in order to be successful.
One may generalize the scheme like this:
- The infection vector: The cold telephone call.
- The malware: Different types of malware will be installed (e.g. remote software, fake antivirus, keyloggers, backdoors)
- The payload:
- Payment for a fake product
- Whatever additional the actions the installed malware performs
- Credit card information astray
- Potential identity theft
In our security article - Social engineering with a virtual twist - from last year, we discussed another type of attack that used an "old fashioned" infection vector. In that article we focused on the fact that our defense mechanisms were lowered when the infection vector was not one that we were accustomed to interpret as dangerous.
The cold call scheme is exactly the same; most of us do not expect that a telephone call - even unsolicited - is by nature dangerous.
Cybercriminals will in the future find other ways to combine "old-fashioned technology" by "modern" malware. Our best defense mechanism is to increase our general awareness in such a way that we get better to spot the malicious infection attempt (the cold call in this case). We will then automatically increase our ability to protect ourselves against the malware, which cybercriminals attempt to spread through any technique.
References
2010 State of the Nation Report from Get Safe Online
