The U.S. Cyber Emergency Response Team (US-CERT,) an operational arm of the National Cyber Security Division (NCSD) at DHS, released the newest "ICS-CERT Monthly Monitor" [PDF] yesterday, warning that cybercrooks were busy attempting highly targeted social engineering attacks on Industrial Control Systems (ICS). As if there are not enough current vulnerabilities that threaten America's critical infrastructure, such as the Firesheep moment for SCADA or the "forever days" bugs, utility companies received phone calls allegedly from "Microsoft Server Department" warning of infected PCs.
While phishing calls are old tricks, the US-CERT Control Systems Security Program (CSSP), which aims to reduce ICS risks to critical infrastructure, found the events important enough to point out the "need for continued vigilance for everyone involved in critical infrastructure, particularly regarding recognition of social engineering attempts."
The utilities received a call from a representative of large software company - yes, that one that sold them the operating system on their computers - warning them that their PCs had viruses and to "Please take the following steps so I can help you correct the problem." The calls purported to be from the "Microsoft Server Department" informing the utilities that they had a virus. Of course, it wasn't really Microsoft calling, but rather an attacker, attempting to socially engineer the utilities to gain access to their systems.
The caller tried to convince the transmission managers to start certain services on their computer (likely, those services would have allowed unauthorized remote access). Fortunately for the customers of those utilities, the transmission managers recognized the social engineering attempts, refused to comply, and hung up.
US-CERT recommended organizations review US-CERT TIP Avoiding Social Engineering and Phishing Attacks and keep an eye on known phishing attacks posted on the Anti-Phishing Working Group.
Social engineers often send emails, hoping for a bite, or a link to clicked, or a download to be opened. If an attacker can lure their target into visiting a maliciously crafted spoof site, then they may hope to deliver a drive-by-download. Social engineers also place calls, and in the guise of needing help or pretending to be someone in authority, can often persuade a person to divulge too much information about a company. However it is accomplished, as was seen twice at DefCon, social engineering is lethal to corporate America.
Earlier this year, US-CERT reported spoofed emails that falsely claimed to be from @US-CERT.GOV with a subject line containing: "Phishing incident report call number: PH000000XXXXXXX." The fake US-CERT emails targeted federal, state and local government personal and had attachments labeled "US-CERT Operation Center Report XXXXXXX.zip." The zip file contained the Zeus offshoot 'Ice-IX' that could "sidestep firewalls and other protective mechanisms" to steal banking credentials and other sensitive information by logging keystrokes.
Scams involving phishing phones calls purportedly coming from Microsoft tech support have been around for years. Whether such social engineering "Hi, I'm from Microsoft" phony phone calls are aimed at defrauding ICS, enterprise or individuals, here are a few tips. For starters, Microsoft does not make cold calls to offer tech support. Microsoft is not going to call you unless you specifically requested to be called.
When you open a support case, provide information and your name if you asked to be called in regard to needing tech support. Microsoft will reference your support case with a support ID number and address you by name when calling. As Cyber Defend Team noted, if Microsoft tech support calls because you requested it, Microsoft will call you by name and NOT only "hello," "hi," "hey there" as well as be able to provide your support ID. Microsoft Safety and Security Center offers other online privacy and safety tips to avoid tech support phone scams.
Microsoft did not respond to a request for a comment before publishing.
*Update*: A Microsoft spokesperson said:
Our advice is simple; treat callers as you would treat strangers in the street – do not disclose personal or sensitive information to anyone you do not know.
Unfortunately this is not the first scam of its kind, and it’s unlikely to be the last. The best way to avoid becoming a victim is by being aware of the threat. Consumers should also ensure the copy of Windows they are running is genuine and fully up to date, while ensuring they have installed legitimate software will guard against viruses, spyware, and other malicious software.
Like this? Here's more posts:
- Stop Cyber Spying: Stop CISPA the New Enemy of the Internet
- Smile for the drone: Coming to police stations near you soon
- FBI Warns Smart Meter Hacking May Cost Utility Companies $400 Million A Year
- Will we trade freedom for application security?
- Senator Al Franken: Privacy is a Fundamental Right
- Counterterrorism database stores all Americans as potential domestic terrorists
- Is Google co-founder in 'digital denial' about walled gardens and web freedom?
- New Gov't Weapon: Warrantless Cell Phone Surveillance
- CIA wants to spy on you through your appliances
- Court to DOJ: Surfing on Work PC Isn't Hacking
- Device to suck out phone data in under 2 minutes prevents military mission failure?
- How Hacktivism Led to Discovering Digital Arms Dealers
- Yawn, pace, or stare into space? Ridiculous DHS List: You Might Be a Terrorist If...
- You consent to a search if a camera sees you? Facial Recognition vs 4th Amendment
- First Amendment Be Damned: Out of control TSA threatens bloggers
Follow me on Twitter @PrivacyFanatic
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited