OFFICIAL SECURITY BLOG
June 11, 2013 | BY Jean Taggart
Scammers use psychological manipulation to defraud their victims, so it is extremely useful to be able to identify the social engineering elements in online scams.
If you can recognize the social engineering taking place in some of today’s scams, you can better protect yourself and avoid scams that you have never heard of.
Think of this as a heuristic detection for your mind.
One of the most accurate descriptions of what Social Engineering is, in the context of scams, comes to us courtesy of Wikipedia. Of this, the most salient point is this: “It differs from traditional cons in that often the attack is a mere step in a more complex fraud scheme.”
This step, this “push,” is what is simultaneously the most powerful aspect, and the greatest weakness, in these types of scams. It is what will convince the victim to ignore common sense, but also what will make the whole elaborate lie collapse, if recognized for what it is.
The Law Enforcement Scam:
One of the more common online scam, the law enforcement fine scam begins during the course of a browsing session, a flurry of pop-ups, some pornographic in nature, overtake the machine.
Simultaneously, malware is delivered via a web drive-by. Once installed, it will reboot the victim’s computer. The normal boot process is interrupted by a warning, alerting the user that they have been detected by the local law enforcement in the commission of a crime.
To unlock the computer, directions are given to pay a fine for the offense.
What are the social engineering aspects at play here?
Fear. The user fears having committed a crime. He or she knows that there is now pornographic material on the computer and that it is potentially illegal in nature. Fear is one of the most common motivators used in pushing the victim.
Urgency. Access to the computer will not be returned until the user pays the fine.
Convenience. The fine is $100, an amount often referred to as the impulse buy. It is low enough to be paid out to solve the inconvenience of the lockout, without much thought.
No law enforcement agencies ever collect fines such as what is being described above. See
The fear, urgency and convenience are being employed to try and obscure the fact that law enforcement would never resort to an online currency system, such as uKash or moneypak to collect a fine.
The Microsoft Tech Support Scam:
Here is a quick synopsis:
A call is placed from a call center pretending to be from Microsoft and instructs the victim to open the event viewer and locate red errors. These are claimed to be virus infections.
The reason often given for this unrequested call from Microsoft is that your machine is somehow participating in malicious activities and infecting other machines. Instructions are given to allow a remote technician to connect to the computer and fix the problem. Having fixed a nonexistent problem, a pitch is made for the sale of a support plan or application.
What are the social engineering aspects at play here?
Fear. Fear of being infected, of losing your personal data and of being liable for damage caused to other computers.
Authority. The caller assumes the identity of a Microsoft support technician. Microsoft employees are expected to be very knowledgeable, and from the perspective of an end user, carry a lot of authority.
Confidence. The caller assumes control of the interaction. Instructions are clear, concise, and leave little or no room for interpretation. Commands are issued with confidence. You can tell this person has done this many, many times before.
Urgency. Your computer is infecting other machines. You need to deal with this issue right away. It is important enough that you cannot afford to ignore this.
Familiarity. The event viewer presents its data in a very familiar way. There is a progression from the informational in blue, the warning in yellow, and the error in red. This isn’t a coincidence, and you only have to look at the results from a legitimate security product to see the similarities.
Microsoft will never call you unless you have initiated a process with them. They state this:
“Microsoft does not make unsolicited phone calls to help you fix your computer.” See this article for details.
This particular scam is very well crafted, and detecting it as such, without prior knowledge of Microsoft products and proficiency with computers, is extremely difficult, because everything looks plausible. In this case, the large sums being asked for the support contracts should be what raise alarm. The preferred payment method, Paypal, might also be cause for pause.
While this advice may sound trite and overused, I have regretted it every time I have chosen to ignore it: Trust your gut feeling. Does the interaction feel just a bit off? Is there just a little too much urgency? More often than not, these are valuable clues that something is amiss.
Once you start looking at these interactions with greater scrutiny, you can see some constants. Fear is commonly used, and money is requested. As soon as both of these are involved in an interaction, regardless of how legitimate it may appear, I treat it as suspicious.
When online, over electronic communications, and on the phone, a dose of skepticism is always a good thing. Fear and urgency are often used to cloud the potential victim’s judgment. Be wary of problems that require an immediate outlay of cash to be solved.
New scams are emerging every day. Criminals have seen the effectiveness of a well-crafted social engineering scam and we can only expect an increase of these types of threats. Better understanding of the social engineering aspects at play will help prepare you if you encounter new scams.
If you are interested in finding out more about how social engineering techniques can be used to devastating effect, you can read Ghost in the Wires. These are the memoirs of Kevin Mitnick, probably the most famous social engineering expert.