Malware via Social Engineering

[jjwinter]

Have gotten several calls from residential customers who get phone calls from scammers pretending to represent Norton or Microsoft. One woman was very scared that hackers got into her system, even though she hung up and never did anything with her PC.

The other customer fell for it. The scammer convinced her that he was from Microsoft, and that her PC was hacked. So she turned it on and went to the website he directed her to, and he established a remote session using showmypc. He then told her all her files were corrupt, and scared her by showing event log entries. Then he wanted her to go to Western Union send him $25. She refused and he hid her desktop icons, and hung up. She thought she lost everything and called me in a tearful panic.

She's all cleaned up now, and better educated about phone scams I hope.

Those of you who support end users, do you get calls like this?

I've seen videos posted by other forum members of pentesters using similar SE techniques to trick corporate users who should know better, pretending to be the Help Desk, or similar. Do you find that these sort of methods work better / faster than vulnerability scanning and exploitation? Or do you do both, and report the technical issues and the SE issues?

[lorddicranius]

I don't have any experience to share regarding this, but this reminded me of an article I read the other day:

http://arstechnica.com/features/2012/10/can-you-fix-my-windows-95-computer-how-to-troll-a-tech-support-scammer/

[cd1zz]

The audio for that IS AWESOME.

[sh4d0wmanPP]

This is a common scam (at least in Europe) usually carried out by callcentres from India (or at least they have the accent and operate from whereever over VOIP). Haven't heared about any arrests but there have been multiple articles published in the media to warn the public.

Useless to say, this fails at some part of the population
$25 seems pretty low, considering somebody will have to fetch hundreds? thousands? of these money orders.