Video Screencast Help

Phisihing calls to Symantec Customers

Created: 08 Jun 2011 | 8 comments

This is an email I sent to a couple people listed under the Symantec Media contacts as there are is general Corporate contact information anywhere on the website (obivously by design).  I putting this up both as a warning to other Symantec customers and also as I doubt it has reached the appropriate department in Symantec in email form.

 

I’m receiving calls from a woman with a British accent, and a blocked phone number, claiming to be from Symantec. She knows I am a current customer, and proceeds to ask me questions regarding our current IT infrastructure. I’m going to assume this person does not work for Symantec, and the fact that they apparently have a list of your customers and are trying to get information on their current IT infrastructure should be of some concern as their intentions are unknown.

Comments 8 CommentsJump to latest comment

Thomas K's picture

It is very possible this caller just guessed that you were running Symantec products. Another way a malicious outsider may know of your security vendor, might be from social networking. Someone in your organization may have shared information on a social site such as Facebook, Twitter, etc.

This type of targeted attack seems to be on the rise these days. It is a good that you caught on to this scammer.. As a rule of thumb, I never share information without verifying the callers phone number first. You might state something like "This call is being recorded with our new Caller ID tracking software". Bluffing might make this caller drop off real fast, hopefully never to call back.

Here is a good article written by Sarah Granger talking about the subject.

https://www-secure.symantec.com/connect/articles/s...

 

Cheers,

Thomas

Grand's picture

I'd agree, but it doesn't work in my case. Nobody in my organization locally knows anything about IT - nothing. A few of them may have heard of Symantec, but that's it. This woman who called me knew I owned Backup Exec and the specific version I use. Nobody besides myself and Symantec has those details. It could be that she has the same line for everybody she calls, playing the odds, but she sure sounded confident in what she was stating.

I've let this be known, and that was all I wanted to do. They didn't get anything out of me, and Symantec can try to bury this under the rug as something that couldn't possibly happen, that's on you. But we all know this information is often stolen from companies via breaches or more commonly employees looking to make an extra buck. Whether this fact gathering mission was for marketing purposes or something more sinister, we may never know, but Symantec customers should be aware of this.

Thomas K's picture

Grand,

Thanks for taking the time to warn other user about these scammers. One question I have is, did you purchase from our product from a Symantec reseller or directly from Symantec?

I do know that it is possble to see what applications and version are running from an infected system. If any of your systems had an infection at one time or another, the system information may have been passed on to a Command and Control Center. It could be real easy for the "bad guys" to see what version of Backup Exec you have running on an infected system.

Knowing this, they then try extracting even more information from you over a phone call. Just my thoughts.

 

Regards,

Thomas

Grand's picture

I just received another call from "Symantec Customer Service" looking to ask me these questions agao.  It was a different woman this time, so I asked her for phone number, email address, or anything to prove she was calling from Symantec. She said she was calling from the UK customer service center and could not receive inbound calls and did not have an email address. I explained to her my concerns with answering any of her questions, especially since the calls come in with a blocked number, and said she understood and would remove my name from the list.

Now I asked her very specifically if she was a Symantec employee or with a third party company, and she stated she was a Symantec employee. When I questioned her on what versions of Symantec software we were running, she said 2010 (we are running 2010 R2 now - she might not even know there is a difference) and her records stated we purchased it from CDW which is correct.

So now the possibiliies here are

1) The call is real, and Symantec - a secrurity company - simply doesn't have it's act together when contacting customers and asks them for confidential information that would be a security risk to divuldge. Symantec is also asking for this info without any method of proving that it is actually a Symantec employee who is calling on behalf of Symantec.

2) Symantec hired a third party to make these calls.

3) Symantec was compromised and third parties are making these calls unbeknownst to Symantec and for unkown reasons.

4) CDW sold this info and third parties are making these calls for unkown reasons.

5) CDW's systems were compromised and third parties are making these calls for unkown reasons.

I understand Symantec is a large organization, and the ass often doesn't know what the elbow is doing, but somebody there should know if these calls are legitimate, and if they are, somebody from the security department should have a meeting with the customer service or marketing department to discuss "appropriate" questions. This situation is no different than somebody calling me from a blocked number and claiming to be from my bank, asking for personal information that they should either already have or is none of their business, and being unable to provide me with any proof of who they are or a means to contact them back through offical bank channels. And the result is the same - "Goodbye" - <click>.

Thomas K's picture

The fact the person stated they do not have an email address or phone number tells me this was not Symantec calling you. We all have customer facing emails that we can and will provide on request. This person calling you is a fake.

If CDW was compromised they are legally bound to disclose this. Again, I am betting this person is guessing that you have Backup Exec, BE has a large market share, so the chance of an IT organization running this product is much higher than say Symantec Network Access Control.

If they call again, ask them for their full name and Symantec employee number, I doubt they will respond.

AngelD's picture

Interesting; social engineering (by phone) aren't that common in Sweden (what I've noticed) but it's a well proven (if skilled) method.

I guess now they have abit more information how to descise as an employee ;)

nhej-'s picture

All Symantec Employees have email addresses and employee numbers. If someone again who told you that she or he is from Symantec, ask the employee number or any case numbers that they can provide to prove that they are Symantec Employees.

Cheers!
"Those who Appreciate Quality Enjoy it Responsibly"
---------------:)---------------------------

deepak.vasudevan's picture

I think we use the term 'Phishing' for emails and phoney URLs. There is a term called 'Vishing' [Voice Phishing] which indicates phoney (voice) calls.

Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward.

Phishing The fraudulent practice of sending e-mails purporting to be from legitimate companies in order to induce individuals to reveal personal information, such as credit-card numbers, online

Source URL: http://bit.ly/lkex9h  and http://bit.ly/jgv5kz