Don’t Trust All Phone Calls: Phone Scams 2.0

There are many methods criminals will use to steal money that fall outside of normal attack channels. I was having dinner with a buddy from work and heard one of the most outrageous social engineering attack methods he recently experienced. To summarize, he had attackers call his home phone and try to get him to install malicious software. He figured out they were full of it yet went along with the scam for 20 minutes to see where they would take things. This post will cover his experience and variations of this attack seen in the wild.

Lesson learned …. don’t trust somebody just because they called you. Make sure to tell your friends and family this message. If you do some Google research, you will find many non-technical people are being tricked by this form of attack.The Attack

The attacker called my buddy’s home phone claiming to be Microsoft Windows support. Their purpose for the call according to the lady on the phone was to let him know his windows computer is currently spewing out malware and needs to be fixed. My buddy told the lady on the phone “Oh my god … well I have a few computers but they are all off … is the device you identified still spewing out malware right now”? She told him “well I will need to get a level 2 support representative on the phone, stand by”.

After a minute, a guy got on the phone and told my friend his computer is spewing malware. My friend asked “well you say you are windows support right? Well I use a MAC”. The level 2 guy came back with “well we can work with MAC as well, I need you to power on your MAC”. My friend asked “I thought you were with Microsoft support” and was told “we are actually with a security support team paid for by Microsoft to keep associated systems safe. Please power on your MAC”. So my buddy told the level 2 guy he was powering on his MAC and asked “where are you based out of’? The level 2 support guy told him “oh we are all over, is your system up? I need you to go to a link to download some software”. My friend asked “well that’s strange, my call trace is showing an non USA based country code and your address is coming up shortly”. The level 2 guy quickly hung up.

The Purpose

What would have happened if my friend installed the software? Research and live stories from customers we work with lead us to believe a few possible outcomes would have happened.

  • Outcome 1: The software being installed could have been a form of Cryptolocker / Crytpowall (I have posted about this HERE). This means my buddy’s hardware would have been encrypted and held ransom. The IT guy could have waited until the software was installed and say “Ok sir, do you see a countdown? Well that is how long you have to pay us or your data will be lost forever. Here is a link to instructions on how to pay us. The cost is $50 dollars for the next 48 hours and will be $100 dollars until the time expires. After that, your data is lost. Have a nice day”.

Here are some example articles on this type of attack: Example 1, Example 2

We have heard horror stories of customers downloading such software and it moving from their computer to their company’s datacenter. At that point, ransoms were as high as $50,000 dollars to unencrypt everything. With new versions of this attack hiding the command centers through TOR (see THIS post), customers are telling us they have paid such ransoms!

  • Outcome 2: Malware could have been installed that would start showing annoying popups and slow things down. The IT guy could have attempted to sell licenses to fake anti-virus products that really just shut off the malware initially installed. The IT guy could have also attempted to sell services to fix things even though my buddy didn’t ask for it. I love this cartoon example of this attack.


Here is an example article covering this attack: Example

  • Outcome 3: Spyware could have been installed if the attacker wanted to perform a longer-term attack. This means the IT guy could claimed everything is fine now however a rootkit could have been planted giving him access to everything on my buddy’s system. This means he could attempt to steal login credentials to banking systems, use my buddy’s system for future attacks or many other bad things. Most likely this is not the case as research shows these attacks are usually trying to grab money and move on.

Here is an example covering this attack: Example

There are other possible negative outcomes that could happen if somebody installed the suggested software. The point of this is in the past, the fear of malicious calling campaigns could mean low concern attacks such as charging for unwanted long distance services. Today, phishing has moved to all areas of our life including outside of our computers and believing somebody on the phone could mean losing everything on your digital assets or worse … associated assets such as your company’s datacenter.


How did these attackers get my buddy’s number? Most likely they used random dialing or stole phone lists from his phone provider. Many people post personal phone numbers on social media sources such as Linked In so its possible those sources were mined for such data. Unfortunately there isn’t a defense to stop this attack from being attempted unless you are the few people who have a automated filtering system attached to their home phone like my buddy that sells collaboration products (see the post HERE). For the rest of us, the best defense is education and willing to question who is on the other end of the phone when receiving strange calls.

Today I received a poster from SANs that provides an overview of this attack. Props to SANs for educating on this.


What are other forms of this attack? What would happen if somebody mailed a postcard asking them to go to a link and claim a free Starbucks card? How many times do delivery people get past physical security just because they look like they belong there? How many people have received calls like the one my buddy received and are tricked into installing ransomware?

The FACT is its happening and its working or they wouldn’t be doing it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.