Every once in a while–daily ever since What the Hack went live–I do this thing, something I definitely do not recommend you try at home: I respond to scammers and hackers when they reach out to me with this or that social engineering exploit.
Social engineering may be a new term for you. It’s a little Orwellian. Basically, it’s tricking someone into doing something–in this case online. It’s among the most common ways hackers infiltrate their targets, be it my bank account or the Pentagon. You’ve seen the emails and messages. “I can’t believe this video of you.” “Are you making this purchase at Wal-Mart?” “Why did you send me this link?”
This week, I got phished (an email attack), smished (the same thing via text message) and quasi-vished (when the scammer calls you claiming to represent a company or organization).
Here’s what happened: One of those dumb phishing emails telling me that I’d successfully renewed a subscription to Norton 360 for $395 found its way into my inbox. I don’t use Norton, and haven’t since 1999, so I knew it was a phishing email.
Even if I had a subscription, I would have paused. The email laid out in rich text format rather than HTML. (Don’t sweat it if you don’t know what this means, your eyes can tell the difference. RTF looks like a formatted email and HTML looks like a web page.)
I called the number on the email using a service that allows me to record phone conversations. The service announces that the call is being recorded. It’s not hard to miss, but in this case the phisher was in a loud call center and didn’t hear it. He asked how he could help me. I told him I was billed for a subscription that I didn’t purchase. I did not say what the subscription was. He asked for the order number, and then said, “One moment please” before I could reply.
When he came back he said, “Sir, I see that you’ve renewed your subscription to Norton 360. If you do not want the service, I can refund you, but I will need you to log onto support.me first. “
Support.me is a site where you go when a tech needs remote access to your computer. Scammers use it to take over target computers, steal login credentials, and plant spyware. I asked why he needed access to my computer. “To remove the software,” he said.
This is when I told him I was recording the call, and might use it in a podcast about cybersecurity. He hung up immediately. I thought that was that, but he called a little while later (the quasi-vishing I mentioned). The number was spoofed–an Indiana exchange. “Who is this?” he said to me when I picked up. I replied with my own question, “Who is this?” He said, “You called me.” I said, “No, sir. I answered. You were already there.” He hung up on me.
Then I got smished (phishing via SMS). The text was a transaction alert for a $25 purchase at Amazon. He wasn’t even trying.
“Hilarious,” I wrote back.
Next, I got a WhatApp message: “This is Sally. I wanted to get in touch with you now that I can.”
“Do we know each other?” I replied. “Yes,” Sally replied, “Here’s what I look like.” There was a fuzzy image with an arrow indicating that I should click if I wanted to see it more clearly–clearly malware. I deleted the message.
It’s impossible to respond correctly to this nonsense 24/7, and mistakes happen.
One thing you can do to lessen your exposure: Turn your smartphone off and then turn it back on. True story. Doing this makes the hackers job harder because it interrupts their work–a very complicated story, but there are digital exploits that deliver something called “in memory payloads” that rely on you not turning off your phone. If you do, it’s wiped out. So do it. The NSA even recommends this simple deterrent.
Another thing you can do is subscribe to anti-virus software, and be vigilant. Oh, and listen to this week’s episode of What the Hack with Adam Levin, “Sally Gets Taken for a Ride” which is all about getting got by remote.