march 2016 feature article: robocalls: where is robocop? · robocalls: where is robocop? david...
TRANSCRIPT
Table of Contents
Robocalls: where is Robocop? ....................................................................................................................................3
ESET Corporate News .................................................................................................................................................7
The Top Ten Threats ...................................................................................................................................................8
Top Ten Threats at a Glance (graph) ....................................................................................................................... 11
About ESET .............................................................................................................................................................. 12
Additional Resources ............................................................................................................................................... 12
Robocalls: where is Robocop?
David Harley, ESET Senior Research Fellow
This article originally appeared on WeLiveSecurity.
The robocall or automated telephone call is often a scam, and usually a nuisance. Do you have to put up with them?
Some years ago I came across the story –I can't say whether it's true – of a decommissioned server that, at the time it was powered down
for good, still had a task left unfinished after something like seven years. This was due to its being constantly deprioritized as other jobs
demanded the server's attention.
It sometimes seems to me that email is a little like that. When I left one job a few years ago, I was still clearing my email backlog weeks
after I'd officially left the organization. A few days ago, while catching up with my ESET email (now down to no unread messages, though I
don't suppose that will last) I found a message reminding me to write something about automated tech-support scam calls. Happily, this
one was only about seven months old, rather than seven years, so it isn't yet totally irrelevant: the robocall problem isn't likely to
disappear any time soon. I can't say what percentage of nuisance/scam robocalls are related to tech support scams, but most of what I'm
going to say relates to robocalls in general, not just the support scam variety.
My PC left a message
In fact, I've never received any examples of this particular brand of automated nuisance call myself, but my understanding is that they
often follow a classic pattern. It's one that will be familiar to you if you've encountered the cold call scams that we've been hearing about
for years, and the pop-up support scam messages I've discussed here several times before. They take the form of a warning that your
system is infected (and apparently has been sending out SOS messages) and an invitation to speak to a support person (in this case by
pressing a key rather than by following a URL or dialling a phone number). However, most of the stories I've heard focus on the dialogue
with the live scammer rather than on the format of the robocall, so there may well be variations of which I'm not aware.
However, robocalls are certainly very common. Aaron Foss apparently reckoned early in 2015 that 20% of all phone calls are automated
and that the volume is increasing. In July 2015 his estimate was 35%, so I guess that's a self-fulfilling prophecy. Consumer Reports told us
in 2015 that 'Every month more than 150,000 consumers complain to the Federal Trade Commission and Federal Communications
Commission.' Not all those automated calls are technically scams, however annoying you and I might find them, but many of them
certainly are.
Let me count the ways…
Among the other types of scam known to be delivered by robocalling in the UK are scams relating to mis-sold PPI (Payment Protection
Insurance), mis-sold pensions, and debt management. Last year, the FTC shut down one offender in the US. The UK's Information
Commissioner's Office recently fined lead generation company Prodial Ltd £350,000 (the largest fine it has imposed to date) for making
more than 46 million automated nuisance calls related to PPI. Since Prodial went into liquidation late in 2015, it seems unlikely that the
fine will be recovered, however. Still, it's encouraging that some agencies oriented towards consumer protection do have some impact on
offenders.
Robocalling is also commonly associated with IRS scams, home improvement scams, and home security scams, but other practically any
phone scams such as accident compensation scams, may also be delivered through automated calls. After all, all you need is the 'right'
message to persuade the victim to call you back.
Cheap crooks and cheap calls
Unfortunately, it's possible to make cheap and easy phone calls from anywhere using Internet technology. (So why are my phone bills so
high? I don't even have teenage children anymore.) What's more, it's all too easy to display a fake caller ID, so despite the demands from
enraged victims to step up action against the scammers, there is no way to guarantee you'll never receive another nuisance/scam call.
Don't call us, we'll call you
While subscribing to a service like the US National Do Not Call Registry (or the UK's Telephone Preference Service) does indeed reduce the
risk of nuisance calls from legitimate organizations, it has less impact on callers whose intentions are clearly not legitimate, and who are
taking pains not to be identified. In general, they simply don't care about such lists. In fact, the TPS doesn't actually apply to automated
calls, although – according to EC legislation – you shouldn't receive such calls unless you've already given permission. But it's obvious from
the size of the problem that many companies don't care about that either. With an attack surface the size of the Internet, it would be
naïve to expect problems like these to be solved by legislation alone. On the other hand, challenging suspicious callers when they ignore
such registries may help (dis-)establish their bona fides: indeed, as the FTC asserts on a page offering advice about the National Do Not
Call Registry, just the fact that you've received a call despite being registered increases the likelihood that it's a scam call.
Be aware, though, that some types of unsolicited call are permitted by these services: surveys, for example. (Which is why sales calls often
start off trying to sound as much as possible like a survey.) Other exceptions to the 'no call' rule may vary from country to country, but can
include purely informational calls, calls from charitable institutions, and so on.
Cell (and landline) block
Sometimes a phone company can block calls from known 'bad' numbers, and some models of telephone may include blocking
functionality. However, there are an awful lot of numbers that are misused for sales/spam/scam calls, and it's easy to change or spoof a
caller ID. (Spoofing is a term used in this context when the caller ID appears to indicate a genuine and trustworthy caller.)
The sheer volume of misused phone numbers is not well addressed, in general, by providers of telephony service and hardware. That, in
part, accounts for the disgruntled tone of some debates on consumer protection sites and forums. Once the scamming community has
your phone number, you may receive calls from lots of numbers, but the average service provider will offer blocking for only a few. (And a
fee is often charged for this service.)
It may be possible to block calls from withheld or international numbers, which does cut down radically on the number of spam/scam calls
received, but for some of us that would mean losing some legitimate calls, too.
For the landline user, there seems to be an increasing range of handsets and hardware devices that may help, if testing by organizations
such as Which and Consumer Reports can be trusted.
The good news is that there is a wide range of call-blocking apps available for smart phones (or blocking may be part of the service).
Unfortunately, I'm not in a position to recommend specific programs (or hardware for landlines, come to that).
In 2013 Aaron Foss and Serdar Danis were each awarded $25,000 by the FTC for 'intercepting and filtering out illegal prerecorded calls
using technology to “blacklist” robocaller phone numbers and “whitelist” numbers associated with acceptable incoming calls.' Foss's
Nomorobo service (which at the time of writing this claims to have blocked 68,848,688 robocalls) sounds quite successful for people using
VoIP carriers that support Simultaneous Ringing. However, I'm not in a position to try it out. For many of us, the options are more
restricted.
So what can I do?
Unfortunately, Robocop isn't answering my calls.
Still, if you're not in a position to do much to reduce the number of scam robocalls you receive, you can at least follow some guidelines to
protect yourself against following up on an automated call and thereby falling for a scam.
It usually makes sense to assume the worst if someone calls you out of the blue with no real proof of his or her identity.
(Because Caller ID is so easy to spoof, it shouldn't be regarded as 'real proof'.) So it also seems like a good idea not to give away
information that might be of use to a scammer, such as sensitive financial data or personal details (let alone PINs and
passwords).
As we've pointed out on this blog time and time again, there is never a good reason to download software on the advice of a
random caller, especially in order to give that caller remote access to your computer.
Subscribing to a 'do not call' register does at least reduce the number of legitimate but unwanted calls you receive, and does
provide some sort of heuristic for gauging the probable scamminess of a call. If you do subscribe, check what calls are and are
not permitted by your service.
I've also pointed out on this blog that the circumstances in which a provider will ring you to tell you about a problem with your
computer are pretty rare. If such a circumstance does arise, it's unlikely that the provider will rely on an automated call to alert
you.
In the event of an unsolicited call that does seem to come from a legitimate source, it's still a good idea to call them back on a
number you know is genuine. Bear in mind, though, that there are known scams that fake disconnection from the original call,
so that you may not be calling back at all. This is because sometimes when you put your phone down, the line may not be
cleared immediately. Scammers taking advantage of this have even been known to play a recording of a ringing tone.
For people in the US, the FTC has a resources page that specifically deals with robocalls. The organization also suggests that you don't
interact with an 'illegal' robocall in any way: just hang up. It says:
Don’t press buttons to be taken off the call list or to talk to a live person. Doing so will probably lead to more unwanted calls. Instead,
hang up and file a complaint with the FTC.
You can also submit a complaint to the Federal Communications Commission.
The Information Commissioner's Office in the UK has information on marketing calls, including automated calls, here, with links to other
relevant pages.
ESET Corporate News
ESET Launches New Version of Secure Authentication Solution
ESET announced the release of ESET Secure Authentication 2.4®, a mobile-based two-factor authentication system that provides
additional security for accessing company networks and sensitive data, safe and hassle-free.
Two-factor authentication (2FA) safeguards your company against data breaches and supports privacy compliance by adding an extra
layer of security to verification processes. Unlike standard password authentication, ESET Secure Authentication requires two elements: a
user’s password, plus a one-time password (OTP) generated on the user’s smartphone. It’s the easiest way for small to medium
businesses to reduce the risk of stolen, weak or cracked passwords.
ESET Secure Authentication 2.4® includes local login protection for Windows in a domain environment, as well custom delivery options
and support for web/cloud services via Microsoft ADFS 3.0® integration, and can be easily deployed to supplement nearly all existing VPN
devices, adding strong authentication without any significant change to the VPN configuration. Any business running Active Directory can
protect their data in 10 minutes with ESET Secure Authentication’s simple double-click installer.
ESET Receives VB100 Award for ESET Endpoint Antivirus
Virus Bulletin, a respected testing authority for security solutions, published its latest ‘VB100 Comparative Review on Windows Server
2008 R2’ report. ESET submitted the ESET Endpoint Antivirus to the test and once again passed the test with excellent results, receiving its
73rd consecutive VB100 award. In total, ESET has received its 94th VB100 Awards.
“Detection was very strong, with good scores across the board,” say Virus Bulletin’s testing experts as to how ESET Endpoint Antivirus
dealt with nearly 900,000 test files.
Besides detection, the comparative review also focused on product stability and performance. According to the VB100 result, stability of
ESET Endpoint Antivirus was impeccable, with no problems, even under the heaviest of stress. Further adding, “Resource use was low and
our set of activities ran through in good time. Scanning speeds were good to start off with and much faster in repeat runs, and overheads
accessing files were very light”.
The Top Ten Threats
1. JS/TrojanDownloader.Nemucod
Previous Ranking: 4 Percentage Detected: 9.89%
JS/TrojanDownloader.Nemucod is a Trojan that uses HTTP to try to download other malware. It contains a list of URLs and tries to
download several files from those addresses. The files are then executed.
2. Win32/Bundpil Previous Ranking: 1 Percentage Detected: 4.66% Win32/Bundpil is a worm that spreads via removable media. The worm contains an URL from which it tries to download several files. The
files are then executed and HTTP is used for communication with the command and control server (C&C) to receive new commands. The
worm may delete files with the following file extensions:
*.exe
*.vbs
*.pif
*.cmd
*Backup
3. LNK/Agent.CR
Previous Ranking: N/A Percentage Detected: 3.40%
LNK/Agent.CR is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is
similar in its effect to the older autorun.inf type of threat.
4. LNK/Agent.AV
Previous Ranking: 3 Percentage Detected: 2.04%
LNK/Agent.AV is another link that concatenates commands to execute legitimate code while running the threat code in the background. It
is similar in its effect to the older autorun.inf type of threat.
5. HTML/ScrInject
Previous Ranking: 10 Percentage Detected: 1.91%
Generic detection of HTML web pages containing obfuscated scripts or iframe tags that automatically redirect to the malware download.
6. LNK/Agent.BZ
Previous Ranking: 2 Percentage Detected: 1.61%
LNK/Agent.BZ is another link that concatenates commands to execute legitimate code while running the threat code in the background. It
is similar in its effect to the older autorun.inf type of threat.
7. Win32/Ramnit
Previous Ranking: 7 Percentage Detected: 1.42%
This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe (executable) files and searches
for htm and html files into which it can insert malicious instructions. It exploits a vulnerability (CVE-2010-2568) found on the system that
allows it to execute arbitrary code. It can be controlled remotely to capture screenshots, send information it has gathered, download files
from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.
8. Win32/Sality Previous Ranking: 5 Percentage Detected: 1.38%
Sality is a polymorphic file infector. When it is executed registry keys are created or deleted related to security applications in the system
and to ensure that the malicious process restarts each time the operating system is rebooted.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah
9. HTML/Refresh
Previous Ranking: N/A Percentage Detected: 1.38%
HTML/Refresh is a trojan that redirects the browser to a specific URL serving malicious software. The malicious program code is usually
embedded in HTML pages.
10. HTML/iFrame
Previous Ranking: 6 Percentage Detected: 1.24%
HTML/IFrame is a generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL
location serving malicious software.
Top Ten Threats at a Glance (graph)
Analysis of ESET LiveGrid®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this
month, with 9.89% of the total, was scored by the JS/TrojanDownloader.Nemucod.
About ESET
ESET®, the pioneer of proactive protection and the maker of
the award-winning ESET NOD32® technology, is a global
provider of security solutions for businesses and consumers.
For over 26 years, the Company has continued to lead the
industry in proactive threat detection. By obtaining its 91st
VB100 award in April 2015, ESET NOD32 technology holds the
record number of Virus Bulletin "VB100” Awards, and has never
missed a single “In-the-Wild” worm or virus since the inception
of testing in 1998. In addition, ESET NOD32 technology holds
the longest consecutive string of VB100 awards of any AV
vendor. ESET has also received a number of accolades from AV-
Comparatives, AV-TEST and other testing organizations and
reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET
Cyber Security® (solution for Mac), ESET® Mobile Security and
IT Security for Business are trusted by millions of global users
and are among the most recommended security solutions in
the world.
The Company has global headquarters in Bratislava (Slovakia),
with regional distribution centers in San Diego (U.S.), Buenos
Aires (Argentina), and Singapore; with offices in the United
Kingdom, Jena (Germany), Prague (Czech Republic) and Sao
Paulo (Brazil). ESET has malware research centers in Bratislava,
San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia),
Krakow (Poland), Montreal (Canada), Moscow (Russia) and an
extensive partner network for more than 180 countries.
More information is available via About ESET and Press Center.
Additional Resources
Keeping your knowledge up to date is as important as keeping
your AV updated. For these and other suggested resources,
please visit:
VirusRadar
ESET White Papers
ESET Conference Papers
WeLiveSecurity
ESET Podcasts
ESET Videos
Case Studies