security and privacy issues
Shutterstock.com

There’s a phone scam trying to convince unsuspecting people that Canada’s spy agency has discovered their computers are being used to pump out spam.

I know because I got a call Monday from one of the gang.

“Gregory Scott,” purporting to be from the “Cybercrime Control Board of Canada,” said my computer was being used for spreading spam by attackers from Mexico. The “board” has been trying to get hold of me for some time, he alleged — why hadn’t I answered?

Asked about the board, he said it’s a “governmental organization which deals with Internet security and cyber crime.” Which department is it with, I asked?

“Have you ever heard of CSIS?” he replied.

Well, I thought, yes I have — by coincidence I wrote about CSIS last week. The Canadian Security and Intelligence Service advises the federal government on intelligence matters, and has no mandate to investigate spam on peoples’ computers. And there’s no such agency as the Cybercrime Control Board.

So I hung up.

Reporters have been juicy targets for scammers and hackers for years, so was I in someone’s bull’s-eye? Not necessarily, according to Daniel Williams, a fraud specialist at the Canadian Anti-Fraud Centre, a federal agency jointly managed by the RCMP, Competition Bureau, and the Ontario Provincial Police.

The centre has received at least two complaints about callers claiming to be from a “Cybercrime Control Board,” he said, and hundreds more purporting to be from a body with a similar name (like “cyber police board”) over the last four years. Scammers have claimed the “board” is affiliated with CSIS, the RCMP, Interpol and other law enforcement agencies in Canada.

It’s part of a global scam from call centres in India hoping to get victims here and the U.S. (where they’d give U.S. law enforcement agency names). The goal: Get victims to give remote access to their computers, then encourage them to buy so-called anti-spam solutions, Williams said. Credit card data used for the purchase could then be used for identity fraud.

Attackers will also secretly disable victims’ anti-virus and firewall protection and steal files they hope will be useful.

In addition to using a police agency’s name callers may say they’re from Microsoft.

The group takes some effort to be convincing to victims. Callers will have some personal information about the victim, usually a home address, to try to assure they’re calling the right person. That address, Williams noted, can easily be obtained from a 411 reverse directory, unless the victim has an unlisted number. Like “Gregory.”

He also wanted to give me his web address, which would have been a phony site.

“Gregory” also tried to spin some credibility by claiming he had my CLS-ID — computer licence security ID, “the most confidential ID of any part of your computer system. Through that we know that it’s your computer that has been compromised by someone from Mexico, because that security ID is registered with your name at your place.”

Because I hung up on him I didn’t go through the charade of searching, but there are a number of CLS-IDs on every computer, and at least one of them is common on every recent version of Windows. So the caller knows nothing about your PC.

The Canadian Anti-fraud Centre says so far this year it has received 2,548 complaints from people saying they’ve been called by some organization offering help to fix alleged computer problems. Of those 1,165 were victimized for a total of just over $800,600. Last year 2,529 victims were stung this way for about    $1,312,000. The centre believes it hears from perhaps three per cent of the victims of what it calls mass marketing frauds, so the real number of victims would be much higher.

A spokesperson for CSIS was surprised its name was being used for fraud. “This is the first time I’ve heard about this,” Tahera Mufti, who heads the agency’s external communications, said in an interview, although the RCMP has warned of complaints of an anti-spam pop-up appearing on screens that includes a CSIS logo.

Readers should remember no one will telephone you to warn of a computer scam, or ask for access to your computing device or money. Nor would a company or government agency send a warning message from the so-called cyber police that would pop up on your screen.

Telephone frauds and scams can be reported  to 1-888-495-8501, Monday to Friday 8 am to 5 pm ET. There’s also a way to report online, although you first have to register. Spam can be reported here.



Related Download
Improving the State of Affairs With Analytics Sponsor: SAS
Improving the State of Affairs With Analytics
Download this case study-rich white paper to learn why data management and analytics are so crucial in the public sector, and how to put it to work in your organization.
Register Now