On the SC Magazine web site, Biocatch’s VP of Product Management Oren Kedem asks ‘After a decade, why can’t we finally be rid of the Microsoft scam?‘ Which is slightly odd, in that he reckons the support scam (no, he wasn’t talking about the way Microsoft is pushing Windows 10!) has been around since ‘at least 2009 in one form or another’. Well, I first heard about it in 2010, but Steve Burn, something of an authority on the sites that push these ‘solutions’, has indeed been following them since 2009. Still, that’s rather less than a decade.
That doesn’t invalidate Kedem’s central point, though. In spite of all the publicity we’ve given to these scams, they’re still clearly operational. While much of the action has shifted away from cold-calling to decoy popups and fake alerts, seeding undesirable URLs via SEO and social media, and even real malware, I still see reports on the ESET blog from people who’ve fallen for tricks like the old CLSID gag. Of course, they haven’t necessarily been cold-called, but the scammers are clearly still using tried and tested gambits to ‘prove’ that the victims need their help.
Kedem suggests that education fails because people fly into a panic and forget what they’ve been told when a scammer actually captures their attention. There’s probably something in that, but in my experience people tend to be fairly good at spotting a scam that’s close to something they’ve previously been warned about. However, they’re not so good at extrapolating from one scam to another when the underlying mechanism is the same, but the gambit used appears quite different. Which is why I try to demonstrate attack principles as well as just describing an attack. (That often goes for technical attacks as well as social engineering.)
Unfortunately, support scam attacks have proved fairly adaptable over the years. While the scammers themselves are often far from bright, the scripts they work from are sometimes pretty clever. (Fortunately, a not-so-bright scammer will very quickly sound much less convincing if you nudge them away from the comfort of an anticipated response. They’ll tend to desperately try to get you back on script, often by ignoring awkward questions and repeating scripted material until it’s clear they’re not going to get anywhere.) Still, the social engineering gambits they use in those scripts (and even the more technical approaches we’ve seen recently) are often far brighter than the call-centre drones that deliver them.
Kedem does make an interesting suggestion about making bank employees identify themselves with a ‘code of the month’ which might have possibilities for reducing phishing. Unfortunately, I can’t see how it would help with the ‘Microsoft scam’. And while there are ways of implementing educational programmes that might have more impact, getting the home users who are the main targets of support scamming to undergo suitable training may not be so easy.