We’ve all heard the warnings about telephone calls from Apple or Microsoft support. We know that both companies won’t call individual end users as a courtesy to let them know their PCs are infected or that their software subscriptions are about to expire AND their computers will be turned off.
But what happens if you are an end user who isn’t sure? Or one who relies on a multitude of devices nearly 24×7 to run a business? And the tech support agent insists the call is legitimate and can provide proof?
Well, you might just believe the call is from Apple or Microsoft Support. Here’s why. The event will seem plausible. There will be a sense of urgency. The person on the other end of the phone – yes, THAT guy who says he wants to help you and doesn’t want you to be a victim – will now take hours to build a relationship with you if he believes he will then be able to, in the end, help himself. After all, that’s the purpose of his call. It’s not to warn you. It’s not to remove a virus or block an attack. It’s to help himself to the treasure trove of data stored on your computer and to steal your passwords, credit card information and money.
To THAT guy, it’s just business. It’s his job to build a relationship with you and get you to trust him because sooner or later he will ask you to give him remote access to your computer.
That’s exactly what happened a few weeks ago to someone I know. What surprised me about the incident, though, was the amount of time the “agent” invested in the social engineering component of the, shall we say, transaction. From start to finish, the contact exceeded two and a half hours. In the end, thankfully, the person I know contacted me and we were able to put an end to the scammer’s access. Before that happened, though, the scammer had:
-
Gained information about the person’s Apple devices
-
Set up an unattended connection to a Windows laptop
-
Used his access to the laptop and the stored information on it to purchase and attempt to purchase about $1,000 in gift cards
Hindsight is always 20/20 so what seems obvious now – why would Apple Support need to access a Windows laptop – certainly wasn’t all that obvious to the end user during the event. The caller identified himself as a support technician from Apple and advised support discovered during monitoring there were attempts made by someone out of the country to access the end user’s devices. When the the end user questioned the call, the so-called support agent said, that’s understandable. I will send you an email with your case ID and my contact information. The end user received the email, which displayed “Apple Support” as the sender, with the case ID and a phone number. The end user called the number and verified that it was, in fact, Apple. (In the interest of full disclosure, the end user did not wait to speak with a real support technician.) So, when the scammer asked for information about the end user’s Apple products, by then, the request seemed natural. After providing that information, almost as a form of verification/validation, the next requests also seemed plausible. To fix the problem, I will need access to your computer. To make sure your Apple products are safe, please turn them off. In reality, what the scam artist should have said was that he wanted the Apple products turned off so that the purchase notifications wouldn’t be received until after he’d completed his handiwork from the end user’s laptop.
Let’s face it. This attack wasn’t overly sophisticated. It’s easy to create an email and send it. It’s also easy to pretend you’re someone you’re not and use the phone to do it. What struck me about this attack was that the perpetrator was willing to spend as long as necessary to achieve his goals. It wasn’t make the call and move onto the next potential victim. It wasn’t look for low hanging fruit and just ask for a credit card number. It was have the answers to the anticipated questions ready, waiting and for the most part – unless you inspected the email headers – believable.
It was…build the trust to create the victim.