Last week, I had the chance to fly to Redmond to meet my new teammates on the Protection team in Microsoft Defender. I also had the chance to catch up with a few old friends from the Edge team, one of whom I met for coffee on Friday morning.
As we sat down with our coffee, she received a text from the CEO of the small startup where she now works, requesting that she go to a Target or Apple Store to grab some gift cards for a partner they were working with. While she’s got a job in senior management, at startups, everyone pitches in to help out with any task.
“I don’t have time for this right now…” she mused, and I was excited to note “Well, that, and it’s a scam,” a smug security smarty-pants.
I immediately recognized the true nature of the situation for two reasons: first, it wasn’t my CEO with a time-sensitive request, and second, because another friend was targeted by exactly the same scam. She’d received a SMS text message “signed” by her CEO, asking that she go buy some Google Play gift cards and respond with the codes:
Mark’s organization was large enough that the request was more obviously unnatural, and she’s always on guard for scammers, having grown up in a variety of scam-rich environments.
The attacker in this case only needs a few things things: the name of a senior leader with budget approval, names of target employees, their phone numbers, and a throwaway account from which to send the lure. Sometimes this recon information is sourced from data breaches, and sometimes it can be determined from employment sites and other public sources.
The attacker can blast out text messages to dozens or hundreds of potential victims at once. While any given attack is only likely to yield hundreds of dollars, it’s a low-investment attack for the bad guys. Like similar attacks via our phones, these attacks evade URL reputation security scanners. Better still, attackers don’t have to find a way to convert credentials into money — they get the gift card codes which they can immediately convert into either merchandise or sell to unsuspecting buyers.
Why bother with an attack like this?
Because the scam works, even against very smart people — it’s not a question of intelligence. Attackers follow the well-trod social engineering path:
- create a sense of urgency,
- abuse our desire to be useful to our bosses,
- subvert the trust we’ve built with our colleagues, and
- exploit our limited ability to authenticate the source of our communications.
Stay safe out there!
-Eric
Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ Microsoft 2001-2012, and 2018-, working on Office, IE, and Edge. Now a GPM for Microsoft Defender. My words are my own, I do not speak for any other entity. View more posts