US-CERT: Social engineers target utilities with fake Microsoft support calls

The U.S. Cyber Emergency Response Team released "ICS-CERT Monthly Monitor" yesterday, warning that social engineers are attempting highly targeted attacks against Industrial Control Systems like utility companies. The attacks are in the form of phishing phone calls allegedly coming from "Microsoft Server Department" and warning of infected PCs. The attacker attempts to have the utilities turn on services which would allow unauthorized remote access.

The U.S. Cyber Emergency Response Team (US-CERT,) an operational arm of the National Cyber Security Division (NCSD) at DHS, released the newest "ICS-CERT Monthly Monitor" [PDF] yesterday, warning that cybercrooks were busy attempting highly targeted social engineering attacks on Industrial Control Systems (ICS). As if there are not enough current vulnerabilities that threaten America's critical infrastructure, such as the Firesheep moment for SCADA or the "forever days" bugs, utility companies received phone calls allegedly from "Microsoft Server Department" warning of infected PCs.

While phishing calls are old tricks, the US-CERT Control Systems Security Program (CSSP), which aims to reduce ICS risks to critical infrastructure, found the events important enough to point out the "need for continued vigilance for everyone involved in critical infrastructure, particularly regarding recognition of social engineering attempts."

The utilities received a call from a representative of large software company - yes, that one that sold them the operating system on their computers - warning them that their PCs had viruses and to "Please take the following steps so I can help you correct the problem." The calls purported to be from the "Microsoft Server Department" informing the utilities that they had a virus. Of course, it wasn't really Microsoft calling, but rather an attacker, attempting to socially engineer the utilities to gain access to their systems.

The caller tried to convince the transmission managers to start certain services on their computer (likely, those services would have allowed unauthorized remote access). Fortunately for the customers of those utilities, the transmission managers recognized the social engineering attempts, refused to comply, and hung up.

US-CERT recommended organizations review US-CERT TIP Avoiding Social Engineering and Phishing Attacks and keep an eye on known phishing attacks posted on the Anti-Phishing Working Group.

Social engineers often send emails, hoping for a bite, or a link to clicked, or a download to be opened. If an attacker can lure their target into visiting a maliciously crafted spoof site, then they may hope to deliver a drive-by-download. Social engineers also place calls, and in the guise of needing help or pretending to be someone in authority, can often persuade a person to divulge too much information about a company. However it is accomplished, as was seen twice at DefCon, social engineering is lethal to corporate America.

Earlier this year, US-CERT reported spoofed emails that falsely claimed to be from @US-CERT.GOV with a subject line containing: "Phishing incident report call number: PH000000XXXXXXX." The fake US-CERT emails targeted federal, state and local government personal and had attachments labeled "US-CERT Operation Center Report" The zip file contained the Zeus offshoot 'Ice-IX' that could "sidestep firewalls and other protective mechanisms" to steal banking credentials and other sensitive information by logging keystrokes.

Scams involving phishing phones calls purportedly coming from Microsoft tech support have been around for years. Whether such social engineering "Hi, I'm from Microsoft" phony phone calls are aimed at defrauding ICS, enterprise or individuals, here are a few tips. For starters, Microsoft does not make cold calls to offer tech support. Microsoft is not going to call you unless you specifically requested to be called.

When you open a support case, provide information and your name if you asked to be called in regard to needing tech support. Microsoft will reference your support case with a support ID number and address you by name when calling. As Cyber Defend Team noted, if Microsoft tech support calls because you requested it, Microsoft will call you by name and NOT only "hello," "hi," "hey there" as well as be able to provide your support ID. Microsoft Safety and Security Center offers other online privacy and safety tips to avoid tech support phone scams.

Microsoft did not respond to a request for a comment before publishing.

*Update*: A Microsoft spokesperson said:

Our advice is simple; treat callers as you would treat strangers in the street – do not disclose personal or sensitive information to anyone you do not know.

Unfortunately this is not the first scam of its kind, and it’s unlikely to be the last. The best way to avoid becoming a victim is by being aware of the threat. Consumers should also ensure the copy of Windows they are running is genuine and fully up to date, while ensuring they have installed legitimate software will guard against viruses, spyware, and other malicious software.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline