Online scammers are getting smarter these days.  With the advent of the internet, scammers and crooks can infiltrate your private life without you even knowing.

Only a number of years ago, the most elaborate scams were Ponzi schemes and pyramid schemes, only advertised in the back of ropey magazines or spread by word of mouth.

These days, a pyramid scheme might still exist, but as the years have gone by, more and more people are becoming wise of it.
The same cannot be said about scams over the internet, and people are still getting caught out.

The most common type of scam is fraudsters calling, claiming to be from your internet supplier or Microsoft claiming there is an issue with your computer and you need to let them fix it.

 

In a previous post, we talked about how to spot a scam email.  But how do you spot a scam call?
Rule of thumb is unless you’re expecting it, don’t play along.  Simply answering the phone and saying ‘hello’ puts your number on a green list – meaning the scammers know that the randomly generated number from an area code is legit and they will continue to call, or worse, sell it on to another scammer.

If the call is legit, the company will either call again later, or leave a message on an answering machine.
If the number is ‘unavailable’, ‘no caller ID’, or ‘International’, play it by ear.

One trick I would like to share is the similarities between these cold calls and unsolicited emails:

  • The person won’t know your name initially – ask them what your name is. If they’re legitimate, they’ll know.  Otherwise, they’ll get defensive or hang up.
  • They won’t know any other personal details – do not hand this information out lightly either. Simply ask for any other identifying information on you.
  • They won’t know what computer you’ve got. Or if you’ve even got one. – Simply say ‘I don’t have a computer’ or ‘I don’t use Windows’.  A majority of scammers only know how to lock Windows PCs.
  • Simply tell them the computer is still under warranty and you’ll take it back.

 

Under any circumstance, do not entertain a suspicious call. 
If in doubt, call them out.
Say you’ll call back on a reputable number from the supposed company’s website.

But we’re not here to talk about what is currently going on.  We’re here to look at something a bit darker, and something that could well happen.

Vampire Attacks:
In Mythology, a Vampire needs to be invited in to your home, whether intentionally or not.
Much like vampires, the scammers need to be invited in to your home.
A majority of the time they will ask you to download a software called ‘TeamViewer’.
This software is mostly used for group working and one-to-one screensharing.

At Create Labs, we use it ourselves to give one-to-one training or give presentations.

By scammers can also use it to access the files deep in your Windows PC (or Mac) to install malicious code that locks your computer.

But referring to the above tips, these scammers won’t know any personal details about you if you’re randomly targeted.
But supposing these scammers get smarter and start to adapt their methods?

*Disclaimer:  The following is for educational and informational purposes only.  Create Labs is not liable for any persons who attempts the following thought experiment.
If you do not agree with this, please stop reading now.

In most modern fraudulent crimes, the victim knows the suspect.  The suspect carries out the fraud because they have the victims trust or the victim does not have the capability to understand what is happening.

Take this principle and look at it from a different angle – how would a scammer get your trust?
That would take a long time, to and fro between themselves and yourself.  This opens up so many avenues for the fraudster to be caught by tracing IPs or their personal information.
So how would a fraudster gain ‘trust’?

Well, they may not need to.
Using the principles of cold calling and phishing emails, it is possible for scammers to combine the two and create a new type of attack – what we are coining Vampire Attacks.

It’s completely possible to spoof an email address to look like an email has come from Company X, instructing the user to log in to their account.
This tried and tested method is used daily by scammers and consumers are getting wise.

In this thought experiment, consider a scammer sending a spoofed email to a spoofed website, not for your log in, but for a feedback form for example.
By doing this, they are requesting your name, email address, postal address, birthday, and a whole trove of other personal information.

For example, say the feedback form gives the incentive of a 20% discount code on your next purchase which is sent 3-5 business days after the form has been completed (but will never appear). You’re taken in by this; money off to give your feedback.

 

 

At this point, the scammer knows your personal information:

  • Name
  • Date of Birth
  • Location
  • IP address of device
  • Postal address
  • Telephone number
  • Devices in the household
  • What operating system you’re running

And any other information they want.

 

By saving the feedback form information to a database, the fraudster now has your personal information, and can target you directly via telephone.
This is the door knock for the vampire.

 

After a week or two, the fraudster could call you directly, using your first or last name, saying “There is an issue with your AJAX Internet Provider and we need to install some updates to Windows 7”

Why would you question this?  You get your internet from AJAX Internet Provider and run Windows 7, and called you by your full name, from an 0208 London number.

0208 numbers, among others, can also be spoofed using VOIP [Voice Over Internet Protocol].

“Ok, what do you need to do?” you say back.
“Open Internet Explorer [the internet browser you used to access the online form] and go to ~URL~

By accessing the link and downloading the software, you’ve opened the door to the Vampire.

“Open the software and enter the following code to let me access your PC” – this is another way of saying “let me in.”
By accepting the code and allowing the scammer access, you’ve willingly given them full control of your computer to install and run whatever software they want.
From spyware to carry out further scams, or a hidden server to use your PC as a network route for Direct Denial of Service Attacks (DDOS), or to lock all your files and sell you the decryption key.

This looks like a standard cold call to say ‘there’s an issue with your computer’ to which most people would pick up on.
But would you know to put two and two together and realise that a seemingly meaningless feedback form you received a week ago would actually aid a scammer into accessing your computer with little to no objection?