How a vishing attack spoofed Microsoft to try to gain remote access – TechRepublic

A voice phishing campaign spotted by Armorblox tried to convince people to give the attackers access to their computer.

Image: Tero Vesalainen, Getty Images/iStockphoto

A standard phishing attack typically involves sending people an email or text message spoofing a known company, brand or product in an attempt to install malware or steal sensitive information. But a variation called vishing (voice phishing) adds another element, in which the cybercriminals speak with their victims directly by phone or leave fraudulent voice messages. A blog post published Thursday by security firm Armorblox describes a scam in which attackers tried to impersonate Microsoft Defender to coax potential victims to grant them remote access.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)  

More about Security

This particular campaign started with phony order receipts for a Microsoft Defender subscription sent via two different emails. Each of the two messages included a phone number to call for any issues related to order returns. Calling one of the numbers triggered the vishing attack in which the criminal instructed the victim to install a program to give them remote access to the person’s computer.

Sent from a Gmail account, the initial emails used a sender name of “Microsoft Online Store” and a subject line of “Order Confirmation No” followed by a long invoice number. The emails borrowed the look and layout of actual emails from Microsoft and even included information on a subscription for Microsoft Defender Advanced Protection that supposedly was ordered by the recipient.

The emails asked the person to contact customer care representatives for more information about the order, including toll-free numbers to call. Since the order was fake, anyone receiving a message like this would naturally be concerned about getting charged for an item they never purchased.

Researchers from Armorblox called both numbers listed in the two emails. One number just rang with no one ever picking up. But the other number was answered by a real person who called himself Sam. Requesting the invoice number listed in the email, “Sam” said that the only way to get a refund was by filling out an information form. To assist the user in this process, Sam suggested installing AnyDesk, a program that provides access to remote PCs.

After the Armorblox folks asked one too many questions, Sam seemed to get suspicious and ended the call. But the intent was clear. The attackers wanted to get victims to install AnyDesk, through which they could then remotely access the person’s PC through Microsoft’s Remote Desktop Protocol. The goal may have been to install malware or ransomware, steal login credentials or grab confidential information.

An attack like this uses several tactics to appear convincing and bypass standard security protection. The emails tried to convey a sense of trust, as it appears to come from Microsoft. They aimed to create a sense of urgency by claiming that the recipient ordered a subscription for something that they obviously didn’t order. The emails didn’t include any links or clearly malicious content that might otherwise prevent it from getting through to someone’s inbox. Further, the emails came from a legitimate Gmail account, allowing them to pass any authentication checks.

To help protect yourself and your organization from these types of vishing scams, Armorblox offers several helpful tips:

  1. Supplement your native email security. The initial …….


Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *