Malware infections by telephone

Introduction

An interesting news item has appeared in several UK-based media lately. Several end users have received phone calls from someone who present themselves as security personnel. The caller informs that the computer is infected by malware and offers to help. Varying social engineering techniques are used to persuade the recipient to allow the use of remote access software in order to "fix the problem".

Unfortunately allowing such access is the problem. The result is that rogue antimalware products are installed on the (presumably) clean computer. The usual scheme involved in rogue antimalware is then invoked:

• the "antimalware product" shows that the computer is infected by displaying a list of bogus infections,
• the cheated person is encouraged to buy the antimalware program to clean his computer
• the antimalware product includes several different malicious components and is very difficult to get rid of.

See for example this article in The Register, this article in PC PRO, and this Diary posting from SANS Internet Storm Center for information about and examples of the ongoing trickery.

Rogue antimalware products are currently one of the most wide-spread threats to computer users, and have been discussed in several of our security articles in recent years. Fake antivirus, which is another term for this type of malware, is currently set as High Risk by Norman - read more about this in the virus description.

In this article however, we shall not examine the malicious software. We shall look at some general lessons and precausions that can be derived from the "malicious cold-call" scam mentioned above.

A three-layer defense

The model

A useful approach to the problem with malicious software in general, and possible actions to defend yourself against this, is to view it as a defense in three layers:

1. Personal awareness (actions prior to exposure)
2. Protection by software
3. Procedures when infected

Item (layer) 2 and 3 are those where you are protected by software, like antivirus software, firewalls, malware cleaners, intrusion detection systems and so on. Some Norman products able to assist you in these categories, are linked to in the right hand side column.

Item (layer) 1 on the other hand, is where your own actions and awareness represent the crucial defense mechanism. You have major influence on avoiding infection, and this is the focus in this security article.

Almost all techniques used to trick you into performing an action that results in an infection of your computer, boil down to social engineering. A person or persons with criminal intent want to persuade you to do something that has consequences that you did not expect (or want).

The social engineering schemes vary from the ridiculously simple (sending a message with nothing but a link, hoping that recipients will click the link), to the sophisticated (investigating the recipients before contact and designing specially crated personal messages) – and everything in between.

Since the different social engineering schemes are so varied, one cannot make a complete list of how they look. The ambition should rather be for each and every one of us to recognize typical patterns, and thus avoid being tricked.

Common social engineering techniques

Some techniques that are used frequently to trick you into performing actions that will result in an attempted infection (which of course e.g. you antivirus software might prevent) are:

1. Links in instant messaging (IM) programs
   These are usually characterized by unexpected messages coming from someone in your contact list, and will often be in a language and a manner of speaking that are unusual for the sender. It is then highly likely that the other person did not send this at all, but that he is infected by malware that sends the message without his knowledge.
    
2. Obfuscated links in email messages
   HTML messages, which are increasingly common in emails, enables a "real" link in the email text to be totally different to what is written. This may trick you to click on a link, which takes you to an infected web page, rather than the one you expected to reach.
    
3. Manipulated search engine results
   It is possible for persons with malicious intent to manipulate search engine results to display links to web sites with malicious content high on the results lists. We refer to our previous article Domänennamenregistrierung – ein Verbreitungsvektor für Malware for some examples of the techniques that are used. Note in particular that most malicious web sites/pages are infected without the site owner's consent - some studies indicate as many as 90%.

More unusual techniques

The technique that was described in the introduction to this article is an example of a more unusual one. Not the least because it does not rely on "modern" communication solely, like emails and instant messaging. It combines "good" old cold-calls with the newer remote access and rogue antimalware scheme.

Another example of a similar technique was discussed in our article Social Engineering mit einem virtuellen Dreh one and a half year ago.

Both these two examples have in common that some manual labor is involved - this is of course infinitely more expensive than relying on electronic communication only. On the other hand, the probability for success is much, much higher.
If one can trick a person into paying e.g. USD 150 for something worth nothing, and invest e.g. USD 20 for the average few minutes spent persuading the user, the concept represent quite an interesting business model... Add to this the potential for including the infected computer in a botnet and/or squeezing more money from him by other means.

The problem with these types of social engineering techniques is that they might be very difficult to reveal.

Imagine that you get a phone call from a polite person who introduces herself as an employee by your Internet Service Provider. She says that their logs show that you are infected by {random malware name}, but she will help you to get rid of it so that she can avoid terminating your Internet connection. You can either surf to a web page, which she states on the phone and run a "cleaner program", or you may allow her to connect to your computer remotely, so that she can fix your computer.

Would you say no, this is a scam intended to trick me, and demand to call your ISP yourself for verification? Most of us probably would not!

Your protection mechanisms

As we have attempted to show above, it is very difficult to protect yourself against some of the more personal social engineering schemes. The most important rule to obey in order to avoid being tricked, is - as we cannot mention too often:

Use common sense!

You are also recommended to regularly visit security organizations' web sites and join mailing lists. This will give you a double advantage, as you will

• get concrete information about the newest threats and techniques that you may be exposed to.
• subconsciously educate yourself to be better able to pinpoint any (new or well-used) social engineering threats against you.

You are thus better enabled to take the relevant counter-measures, so that your defense layers 2 and 3 do not have to be tested more often than necessary.