I have a feeling most of us who live in the US had to deal with telemarketers one time or another. On my side, that usually happens when a company I dealt with sold my info out. And example would be when I buy a domain. Last time I did it, which was for this very site, the next three weeks were filled with calls to my home trying to sell me services. And the same happens at work. The tactics change depending on where they are calling you at:
- If calling your home/cell number they will try to appeal to emotions such as greed "you have won a prize! Please stand by to provide the personal info we seek" or fear "there is a warrant for your arrest! Call us back immediately at this number."
- If calling at work they might try to generate the lead by offering a white paper or a webinar if you, or who has purchasing authority, provide them with info. We do get the whitepaper one a lot at work.
On April 13 I received one of those calls. I twitted about that once it was over, but I thought it deserved a longer/better entry. The story begins with a telemarketer who works for a company selling "secondary storage solutions" from what I had gathered from the questions; but since he was doing a bit of recon, he did not identified himself as so. I wish I had a way to record the conversation, but that was company's phone. In any case, it went something like this (I will put my thoughts in itallics):
- Telemarketer:I am doing research and my deadline is this Friday. Can I talk to the IT manager?
As we know, any good social engineering campaign relies on pressing some sense of urgency onto their victims so they are compelled to act before thinking. I am not one of those experts with years of experience in the field, but my BS detector is well trained. However, by default if I receive a call of an unknown number I assume scam. To give the benefit of the doubt, I decided to ask a few questions. Note that I also broke the expected handshaking flow.
- Me: Oh really? Which organization are you with?
- Telemarketer: I am from the University of the United States.
When I heard that reply, the first thing that came to my mind was that scene in Coming to America when Eddy Murphy tells the Shari Headley he attends The University of America, which she has never heard of. In other words, scam. So, game on!
- Me: Oh really? I have never heard of it. Where is it located?
- Telemarketer: Santiago.
- Me: You mean, as in Chile?
- Telemarketer: Sure. I want to ask a few questions about your storage for my research that is due on Friday. this should take 30 seconds. Which storage system do you use for your secondary storage?
His research is due on Friday! This needs to be done now! Oh the urgency! And technical terms like "Secondary Storage!" I am confused and being compelled to divulge info! What should I do?
- Me: PickleNAS.
Don't hate me; that's the best fake name I could come up with under so overwhelming pressure. It would be funny if that actually exists, so you there! Go create the PickleNAS! Now!
- He did make me spell it out. I wonder when he will realize what I was up to? I was begin to have a hard time holding my laugh; but I was going to prevail!
- Telemarketer: How much storage do you use?
- Me: 1 3/4TB
- Telemarketer: One and three-quarters?
- Me: Yeah, we don't read much here.
I was dropping hints but he would not get it.
- Telemarketer: I see. Are you the IT Director, Manager, or in a Decision Position?
- Me: Nope.
- Telemarketer: I see, so you make recommendations. What is your title?
- Me: Food taster.
I swear that was my reply.
At that point, I hung up. I could not go on and needed to burst out laughing. Funny thing is that the same person -- at least the number on the callerID was the same -- called again. She was a bit nicer to him and just told him to bugger off.
Moral of the Story
Good question; I really have no good sensible and proper security advise. I guess that once you realize you are dealing with telemarketing or some spam/phishing call, I see nothing wrong with turning the table around and having fun at the attacker's expense.