A person who uses social engineering to impersonate a tech support worker can have devastating effects on a network. This is an effective attack vector, because it can give an attacker physical access to network computers. It only takes a matter of seconds for someone to compromise a computer with physical access. One of the best technological tools at the disposal of an attacker posing as a technical support person, is a USB thumb drive. These are small, easy to conceal, and can be loaded with different payloads depending on what task needs to be done.
The first way that a person can carry out this attack is to try different phone numbers for a business. Once someone is reached, the attacker can pretend to be from technical support, returning a phone call. The attacker can walk a person through fixing their problem, and in doing so, have them download and run a file on their computer. The file could be a virus from the attacker, and could give them backdoor access to the computer. Once the attacker has the software on the computer, they could gain access to the computer whenever they want. This is called the quid pro quo approach.
Gaining physical access to a computer through tech support is the best-case scenario for an attacker, since it puts them right at the computer. This is a perfect opportunity to download an “anti-virus” program or some sort of scanner to “clean” the computer. Once the “helping” file is installed, this creates an opportunity for the attacker to infect the computer. As a result, they can gain further access to the computer or network. USB devices are small and easy to conceal. They can also hold large amounts of data, and it’s easy to hide malicious code on one. Continue reading to see some of the USB tools available to a social engineer.
Impersonate Technical Support via E-mail
E-mail is another way to use social engineering to gain access to someone’s computer. In 2004, students and staff of University of California received spoof e-mails from the technical support team, saying that their computers were infected with a virus. Once opened, the attachment would infect the computer with a variant of the MyDoom virus.
There have been attempts to steal account information by impersonating a Google employee. One of the more recent attempts is a phishing attack, in which a user gives their username and password. The person says they are from the Gmail Technical Support Team, and unless you reply to the email with your login credentials, then your account will be suspended and deleted.
Windows XP Service Provider
Another scam which impersonated tech support was through a fake call from Microsoft. In the first example, the call would come in, and report that the person’s computer is infected with a virus. In order to fix it, they would have to download a piece of software, which actually was a virus. They will charge the person. And then direct them to a webpage to download a program that they can use to remotely connect to you. Once downloaded, they can “fix” the problem and infect your computer even further. After the call has ended, the software is still on the computer. As a result, the attacker has access to the computer at any time.
Another scam by the same group is to call up the person, and tell them that their copy of Windows is illegal. Since many tech shops will do this, it may sound convincing. The attackers will say that they need to pay for the copy, or else they will be reported to police.
The USB switchblade“is to silently recover information from a target Windows 2000 or higher computer, including password hashes, LSA secrets, IP information.” With this information, they can obtain the local administrator password, and use it to access any of the computers with the same password.
Linux Live USB
Another way to use a USB device for social engineering is to use a Linux live drive. By doing this, a person can make the USB drive bootable, and boot to their favorite flavor of Linux. This will completely bypass the security mechanisms on the computer, and allow the “technician” to have full read / write access to the drive.
“Free” USB Drive
In an attack in 2006, a company performing a security audit for a credit union used USB drives loaded with a trojan to gain passwords and login information for the machines. They took the drives, and laid them in different locations around the business. The employees found the drives, and began to use them. This same tactic can be used by someone using impersonation, and only takes seconds to compromise the computer.
One of the best ways to protect against phone attack is to know who you are speaking with. If they are attacking a company, ask for more information in order to validate whether they are who they say they are. If they cannot give you any of the information, it is someone trying to infect you.
One way to protect yourself against someone impersonating tech support to gain physical access to your computer is to know who your tech support person is. Unless someone new has been hired, you should have the same technician working on your computer. If you don’t know who they are, question them and make sure they are an employee.
In order to protect against these types of scams, the best way is to not open anything that seems suspicious to you. Technical support will NEVER ask for your username and password, since they can access this information if they need to (which they shouldn’t need to).
USB and Local Attacks
There are a few ways to keep from falling victim to USB and local attacks. First off, as stated previously, know who your technical support person is. If you use someone different, ask friends and family if they know the technician. And find out if they are really doing the job that they say they are.
For USB attacks, one of the easiest ways is to disable autorun. Autorun.inf is a file that is put on USB devices and CD’s that automatically run a file when inserted. In Windows XP SP3, this is disabled by default. It is possible to bypass, so make sure that the drive the technician is using is a clean drive. Hold shift to keep a possibly infected drive or CD from running the malicious code.