Advisory 8

TLP Rating: White

Phone Call Attack and Scams

CERT Vanuatu and the Office of the Chief Information Officer (OGCIO) provides the following advisory.

CERT Vanuatu (CERT VU) office has received reports regarding the above mentioned attacks on its constituents, and specifically those involved in the Recognised Seasonal Employer (RSE) scheme with Australia and New Zealand.

Hence, CERTVU is putting out this advisory and awareness for all our constituents, particularly those involved and need to be aware of the “Phone Call / Scamming attack”.

 

What is it?

When we think of Cybercriminals, Cybercrime or Cyber-attacks, we often associate them with the idea of some evil person sitting behind a computer with a hoody or a mask with computers or a laptop, and writing up some fancy programing codes to launch sophisticated attacks at an organisation or a person over the internet. While most cybercriminals use technologies such as emails, instant messaging apps, to launch an attack. Most of them are using phone call as a tactic to entice their victims and attack them [1].

Why execute a Phone Call Attack?

There are two main advantages on launching a phone call attack. Firstly, there are very few monitoring technologies that can monitor such calls and stop the attack. Secondly, the attacker has the advantage of expressing himself/herself emotionally to the victims, to be able to trick them.

 

How does the Phone-call Attack work?

Let us look at how to spot those attacks and stop them, but firstly we all must understand the purpose of attack. Why are you being the attack target? Off course, it is a common knowledge to say that the attacker wants your money; your Personal Identifiable Information (PII); or to gain access to your computer or system (or all three). Attackers do this by tricking and luring you into how and what they want, thus creating situations where it requires your urgent attention so you can make mistake by responding to their demands. Below are common scenarios encountered [1], [2]: 

a) The caller calls your phone with an unknown pretends claiming to work for a big mobile company such as Samsung or Apple in Australia, New Zealand or some technology shops in Australia or New Zealand. The caller usually lures you into believing thus, stating you have just won a price or an award from the company. However, you are required to send in your personal details and the so amount of dollars before you can receive your price or award. He/she then pressures you with a given specific timeline as to when the required fund transaction must be made either through a bank transfer or through a money transfer agent. Failure to do so will result in your price be forfeited. Upon successfully scamming you through receiving the funds from you, the caller vanishes and does not reply or return your calls. Hence it is a phone call/scamming attack.

b) The caller calls your phone, pretending to work for Microsoft or a computer company/shop explaining your computer is infected and it needs urgent attention. Once they convince you that your computer is infected. They will pressure you to buy their software, or giving them remote access to your computer. Understand that Computer repair shops or company like Microsoft will not call your phone or home.

c) The last scenario involves, you receiving auto-messages from your local bank, saying your account has been cancel and you need to call a number to reactivate it. When you call, you get to an automated system, which ask and require all sorts of personal questions. This is definitely not your bank; the attacker is collecting all your personal information for identity fraud. This type of attack is known as “Social Engineering” and it often associates with phone call and scamming attacks. Be careful and always hang up if you suspect it is a phone call and scam attack.

Does It Affect Mobile Phone Users?

1. Users reveal their Personal Identifiable Information (PII) to scammers and hackers.
2. Users are scammed and lose large amount of money.
3. Users reveal their login credentials and data to scammers and hackers.

Mitigation Process

1. Do not answer calls from numbers you do not recognize. It can help protect you from other scams, such as spoofing and social engineering attacks.
2. If you see a missed call on your mobile from an unknown number, resist the urge to call back. Restrain your curiosity to better protect yourself from scams.
3. If you do return a missed call, watch for a “+” to appear ahead of the area code. The plus sign signals an international call being placed – which means international calling rates. If that is the case, hang up immediately.
4. If you believe a phone call is an attack, simply hang up. If you want to confirm if the phone call was legitimate, go to the organization’s website (such as your bank) and get the customer support number, call and verify the number to see if such calls are legitimate.
5. Never allow a caller to take temporary control of your computer or trick you into downloading software. This is how attackers can infect your computer.
6. If a phone call is coming from someone you do not personally know, let the call go directly to voicemail. This way, you can review unknown calls on your own time.
Finally, Scams and attacks over the phone are on the rise. You are the best defence at detecting and stopping them [3], [4].

How do I Stay Safe?

Here are the general minimal tips and advice from CERT Vanuatu as precaution steps:

  1. Apply all necessary appropriate Windows security patches as outlined in this advisory document and stay up to date with the latest system versions.
  2. Report the incident to CERT Vanuatu on This email address is being protected from spambots. You need JavaScript enabled to view it.
  3. Share the advisory and precaution steps among users in your organization and communities for awareness purposes.
  4. For more information and safety and awareness tips [5], see http://cert.gov.vu/index.php/services/online-advisories-alerts

References

1. https://www.sans.org/security-awareness-training/resources/phone-call-attacks-scams
2. https://www.moneywise.co.uk/news/2017-07-05/scams-awareness-month-one-third-caught-out-unsolicited-phone-call-fraud
3. https://about.att.com/pages/cyberaware/ar/wangiri
4. http://scamawareness.org/