Aberdeenshire Phone Scam Alert

May 15th, 2018

General


Scam phone-calls are on the rise in Aberdeenshire. If you receive a call claiming to be your ‘IT Support’ or a Microsoft employee, think twice before you handover access to your PC, company data or any personal information.

Fraudsters are calling individuals and businesses throughout Aberdeenshire offering help with computer problems; through the guise of a trusted or recognised supplier. Once trust is gained, the fraudster can encrypt your PC, blackmail for returned access or use your PC for further criminal activity.

There is often little you can do once you have handed over access to your PC – therefore it is critical to raise awareness within your organisation so your employees catch these fraudsters before they catch your data.

Here is a recent example of such an attempt – please feel free to use it for educational purposes to increase awareness of your company’s users and contact us for further information on our Cyber Security Awareness Sessions.

The targeted company are running a storehouse in Aberdeenshire. The fraudster called during quiet hours on Saturday afternoon and one of the employees (an inexperienced user who recently joined the company) answered the call:

Phone Scam Transcript

Fraudster:  Hello, this is Marcus, I’m calling from your IT. We have an indication that your computer has got registry problems. We have to have a look at it before it gets worse and we lose the data.

The fraudster is very convincing, wastes no time and puts pressure on the user.

User: Uh, ok?

Fraudster: Can you see the search field or icon on your taskbar – it should be bottom left beside Windows icon

User: Yes

Fraudster: Could you click on it and type “E” and then “V” and then “E“ again – it should find Event Viewer, click on it

Event Viewer is a Windows system log – various events are chronologically stored and organised into categories. Logged will be informational entries but also warnings and errors. The fraudster uses this to their advantage and gains your trust by pointing out these warnings and errors. The user assumes there is something wrong with their PC and grants the fraudster access to help.

Fraudster: Click on the categories in the left pane. Can you see any errors?

User: Yes, this one has got about 491 errors

Fraudster: That’s what we thought. I’ll have to connect remotely and fix the registry before it gets screwed up completely

User: OK

Fraudster: Open your web browser and go to this website

The below screenshot shows a Website example where fraudsters display recognised and trusted brands to gain the users trust through familiarity. There may contain links to several remote access tools regularly used by IT departments; again enforcing familiarity.

 

Fraudster: Click on Supremo and select run.

At this point the attacker can see what is on your screen and control your mouse and keyboard.

Fraudster: Perfect. I’ll fix the registry now.

Windows registry serves as a repository for most Windows settings – with full access to the registry, the attacker can do considerable damage. A common technique is to install malware to run automatically on the PC’s next start-up.

The fraudster starts Regedit tool (Registration Info Editor) but because the user doesn’t have admin rights it displays a pop-up window asking for administrator’s username and password.

Fraudster: Do you know the admin password?

User: No

Fraudster: Is there someone there who knows the password?

At this point the user starts to suspect there might be something wrong.

User: My supervisor knows the password, he’ll be here after 4pm, you can call then

Fraudster: I’ll call later on then. We need to urgently sort this. Bye.

The fraudster called again after 4pm. The supervisor realised this was most likely a scam.

Supervisor: Where are you calling from again?

Fraudster: PC World Business IT Support.

Again, the attacker uses a well-known brand to gain trust – unfortunately for them it does not work this time because the supervisor knows Solab are their IT Support.

The Supervisor hangs up and contacts Solab immediately. Solab disconnects the PC from the network and switches off. Fortunately this time, we could stop the fraudster from causing serious damage as the user they targeted did not have admin rights. However, the repercussions could have been huge.

 


So what should companies do to protect against phone scams?

As you can see, it is a well-engineered and though-out scam. As a minimum precaution to avoid similar scenarios, your users should:

  1. Always know who their IT support company is (e.g. Solab based in Aberdeen)
  2. Never disclose their password to anyone.
  3. If in any doubt, ask a supervisor or manager or internal IT representative.

What else can be done?

  • Arrange a Solab Cyber Security Training Course for your employees
    • Raise awareness within your Finance Departments or for any members of staff likely to be targeted by malicious and fraudulent scams.

 

 

Sign up to our newsletter