February 19, 2016

Computer maker Dell is asking for help in an ongoing probe into the source of customer information that appears to have somehow landed in the laps of fraudsters posing as Dell computer support technicians. KrebsOnSecurity readers continue to report being called by scammers posing as Dell support personnel who offer “proof” that they’re with Dell by rattling off the unique Dell “service tag” code printed on each Dell customer’s PC or laptop, as well as information from any previous (legitimate) service issues the customer may have had with Dell.

Image: Wikipedia

Image: Wikipedia

In January, Ars Technica’s Dan Goodin wrote about a guy who’d been complaining to Dell for six months about the very same problem, in which the scammers try to convince the customer that their computer is infected and in need of professional services. Dell responded at the time that its customer’s data protection was a top priority, and it reminded customers that Dell doesn’t make unsolicited calls asking to charge to fix an issue they did not report or previously request help with unless they have signed up for premium support services.

I first heard about this in December 2015 from Israeli resident Yosef Kaner, who reported receiving a phone call from someone with a thick Indian accent claiming to be from Dell technical support.

“He said that they had been monitoring my computer usage for the past couple of weeks, and that I had downloaded a dangerous piece of software,” Kaner said. “He offered to help me remove said software. Understanding that this was a scam, I asked him for a callback number. He gave me one. He also, though, knew my name and gave me the Service Tag of my PC. I thanked him and hung up. Then I Googled the number he gave me. It was a known number from a known scam.”

Almost every week this past month, I’ve received similar messages from other readers. Like this one, from Lucy Thomson of Washington, D.C. Thomson is the author of the ABA Data Breach and Encryption Handbook, and a former Justice Department fraud prosecutor.

“So I am not happy that Dell has had this breach and many people are potentially in jeopardy,” Thomson said. “I confirmed with two of the people who called on two different days, one who said he was in San Jose, CA and another who said he was in India, the nature of the PII and service records they have. All of it was correct and they have quite a bit of contact information and service records with specific dates of calls and service.”

Thomson said she called 1-866-383-4713 (the real Dell’s support line) and told the technician about having received calls every day for the previous five days from people claiming to be Dell certified technicians or who worked for Dell.

“I then told him they had all my PII and Dell service records for the computer I purchased from Dell in 2012,” Thomson recalled. “He said they had received calls ‘from people like you,’ and ‘many customers have called.’ In response to my question about why they had not sent data breach notifications, he said ‘The legal team is in charge. The legal team is working with the FBI on this.’ He said that twice. At the end of the call he said ‘we are creating a platform so this will never happen again.'”

Reader Peter Sullivan sent me this note two days ago:

I received a phone call this afternoon from a male with an Asian (Indian?) accent purporting to be a Dell support tech advising me that my computer had been infected with potentially damaging malware. As you can imagine, I was more than a little skeptical. After asking him several challenging questions, I said ‘I have two Dell computers, which one is infected?”

The caller gave me the Service Tag for my XPS 15 (L521x)! When I suggested that I would like to call him back, he told me that the support #s are very busy (!!) and I wouldn’t be able to get through. “ if I give you your Express Service Code will you trust me then?,” he said proceeded to give me the correct number.

I hung up and did a quick search, coming up with some problems from 2015 involving Dell System Detect that had exposed some Dell computers (I thought that I had responded to that issue). To be on the safe side I called Dell Tech Support and they told me that they don’t call … I wasn’t surprised.

Dell spokesman David Frink said the company has “no indication that customer information used in the sames reported recently were obtained through an external attack,” but he declined to respond to direct questions about whether the company had ruled out an insider attack, such as a current or previous channel partner that got hacked or illegally sold Dell customer information.

“Fact is, these phishing scams are increasingly more sophisticated, they are touching not only technology companies, but all industry, and we have devoted considerable resources to addressing them,” Frink said. “We have no indication that customer information used in the scams reported recently were obtained through an external attack. We continuously evaluate our internal physical and technical security measures to determine if there are additional efforts that would further ensure this customer data is secure. And, we investigate any customer complaint received when there is sufficient information to investigate.”

He pointed concerned Dell customers to information on the company’s site that warns customers to be on alert for phone scams.

“We also have provided an intake form to make it easy for customers to submit information for our teams to investigate,” Frink wrote in an email to KrebsOnSecurity. “We’re encouraging our customers to come to us with any information that could facilitate the investigations.  We are investigating the issue, but can only do so with assist from customers who believe that someone tried to scam them. This is a continuing investigation, which by its nature, is based primarily on input from customers. We have no indication at this time that customer information used in the scams reported recently were obtained through an external attack.”

So if this wasn’t the result of a rogue partner, exactly how have the scammers managed to glean so much information about Dell customers and any previous service issues? Ars Technica’s Dan Goodin posited one possibility: That the scammers exploited a vulnerability in Dell computers that became public in November.

“It resided on Dell PCs that came pre-installed with digital certificates that made it easy for attackers to cryptographically impersonate any website on the Internet,” Goodin wrote. “The same certificate, it turned out, also allowed hackers to surreptitiously obtain the unique service tag Dell assigns to computers it sells.”

Goodin said that theory still doesn’t explain how scammers obtained contact information and support histories.

“The vulnerability, however, does demonstrate the plausibility that hackers could have devised a way to obtain personal details belonging to Dell customers,” he wrote. “For the time being, owners of Dell computers should presume their support histories and purchase and contact information has been compromised, and act accordingly.”


58 thoughts on “Dell to Customers: Report ‘Service Tag’ Scams

  1. George G

    “He pointed concerned Dell customers to information on the company’s site that warns customers to be on alert for phone scams.”

    Why not send an email on that to all Dell customers?
    Do they expect their customers to check Dell’s website regularly to see that “maybe there is a warning there”??

    1. Sharpshooter

      They’ll sure Spam you to buy more/another Dell equipment/outfit.

  2. Thomas

    Where is Dell SecureWorks and the incident response team? All booked out on paying engagements? 🙂

  3. Kris Gnagey

    At my old local computer tech job we ran into a large number of clients who had experienced these calls, often times letting the supposed Microsoft certified technician take control of their computers and then pretend to do scans on their computer using a text file that would display a ‘100% complete’ message in a command prompt and then ask the client to pay them for the service. Each time was with an Indian accept. We ended up calling them back and told them that their computer had a virus and we needed to remotely connect in order to clean it up for them. They seemed confused at first and tried to tell us that our computer was infected and they could clean it for us, but when we insisted that was what we were trying to do for them, they told us not to call them anymore. We told them the same.

  4. DOMS_forever

    Sounds like a Dell insider is selling the DOMS database.

  5. pl1952

    This happened to me middle of last year when I renewed my warranty. Next day the calls started and they had all my information. Had to be an insider. To this day I still get calls…

  6. Joe H

    I’ve gotten calls which could be considered harassment ; some Indian guy saying some real nasty things because I called him on his scam. I used to by Dell, now I buy Mac for obvious reasons.

  7. Fantastic PC Support

    I run a computer support business “Fantastic PC Support” and I have never received any contact from someone pretending to be dell and people should just be genuine and not pretend to be something they are not.

  8. Just Passin' Thru

    From my perspective, this is an insider-caused issue, not a hacker.

    I bought an Alienware in mid-2010, with the 4 year waranty. After 3 years, there were significant issues with brain-dead power supply-related hardware issues. I called the support nbr.

    After giving the tag and service numbers from my system, the tech in Costa Rica said that my name and address didn’t match the info in thier database, and he couldn’t help me. (These are critical in Dell’s operation — a tech visits your home to do repairs.)

    So, someone internal to Dell hacked their database and changed my entry to be someone else.

    After a month, I was able to get thru to a human and get this resolved. The laugh (to me) was that she said there are a lot of hackers and probably someone gained access to my computer and called/logged in and changed the owner in my database by claiming the system was sold. Alternatively, someone hacked into my house’s intranet and managed to obtain the tag/service nbrs so they could then change them. For no reason whatsoever(!).

    Pretty unlikely, since the computer stays in my house at all times, and is well-protected network-wise.

    Most likely scenario… Dell employee has access to their database and was selling service on the side. Later, decided to just do a Chelsea Manning operation for profit.

    I wonder how he contacted his customers… ebay? Craigslist?

  9. TMR

    Same scam happened to us 2 weeks ago. My wife was wise enough to not give the guy access and called dell to check if it was legit. Of coarse not. She filed a report and has never heard from dell. Obviously it is an inside job and dell has never alerted the public. I had to search the internet to find out this has been happening since last year. I think dell is culpable in this as they have done nothing. Any other reputable company would have notified the public and provided some after the fact security measure. Dell has lost my support.

  10. DFC

    I got worked by a hacker team just this week. An Indian-sounding woman called saying she was a Dell technician and said many of my system services were turned off and suggesting I had a problem. I let her have access because I’ve done it before when I had software adjusting work from Dell service in 2015. She did a “scan” and found multiple copies of a virus and said she was a “level 3 technician” and this was serious so she would switch me to a “level 5” professional from an outside security company. A couple minutes later a guy, again Indian-sounding, came on and said he was with Vtech Solutions. He scanned and found all sorts of terrible gaps in my computer security and home wi-fi system. He said all my credit card and financial information was exposed and that hackers were actively proving my network. I won’t go into the rest, but I’m just advising readers that this scam is going on right now. It’s a team and they had prior information about me as a Dell customer. I’m now trying to unwind the damage. All Dell has is a form to fill out. The fraud department phone line is closed!! I’m not an IT professional andI panicked and fell for it.

    1. Millir

      Wow, that’s exactly the same thing that happened to me this weekend. I have had Dell support hook up to my computer before. This guy said he was from Dell and told me my service tag number and had my previous support info so I thought it was legit. Like a big ol’ sucker, I fell for it. Wanted me to pay over $600 to “reprogram” my laptop and install Windows 10. By the time I realized it was a scam and his the power button it was too late. So now I’m working with Dell to try to fix whatever they did.

Comments are closed.