Computer maker Dell is asking for help in an ongoing probe into the source of customer information that appears to have somehow landed in the laps of fraudsters posing as Dell computer support technicians. KrebsOnSecurity readers continue to report being called by scammers posing as Dell support personnel who offer “proof” that they’re with Dell by rattling off the unique Dell “service tag” code printed on each Dell customer’s PC or laptop, as well as information from any previous (legitimate) service issues the customer may have had with Dell.
In January, Ars Technica’s Dan Goodin wrote about a guy who’d been complaining to Dell for six months about the very same problem, in which the scammers try to convince the customer that their computer is infected and in need of professional services. Dell responded at the time that its customer’s data protection was a top priority, and it reminded customers that Dell doesn’t make unsolicited calls asking to charge to fix an issue they did not report or previously request help with unless they have signed up for premium support services.
I first heard about this in December 2015 from Israeli resident Yosef Kaner, who reported receiving a phone call from someone with a thick Indian accent claiming to be from Dell technical support.
“He said that they had been monitoring my computer usage for the past couple of weeks, and that I had downloaded a dangerous piece of software,” Kaner said. “He offered to help me remove said software. Understanding that this was a scam, I asked him for a callback number. He gave me one. He also, though, knew my name and gave me the Service Tag of my PC. I thanked him and hung up. Then I Googled the number he gave me. It was a known number from a known scam.”
Almost every week this past month, I’ve received similar messages from other readers. Like this one, from Lucy Thomson of Washington, D.C. Thomson is the author of the ABA Data Breach and Encryption Handbook, and a former Justice Department fraud prosecutor.
“So I am not happy that Dell has had this breach and many people are potentially in jeopardy,” Thomson said. “I confirmed with two of the people who called on two different days, one who said he was in San Jose, CA and another who said he was in India, the nature of the PII and service records they have. All of it was correct and they have quite a bit of contact information and service records with specific dates of calls and service.”
Thomson said she called 1-866-383-4713 (the real Dell’s support line) and told the technician about having received calls every day for the previous five days from people claiming to be Dell certified technicians or who worked for Dell.
“I then told him they had all my PII and Dell service records for the computer I purchased from Dell in 2012,” Thomson recalled. “He said they had received calls ‘from people like you,’ and ‘many customers have called.’ In response to my question about why they had not sent data breach notifications, he said ‘The legal team is in charge. The legal team is working with the FBI on this.’ He said that twice. At the end of the call he said ‘we are creating a platform so this will never happen again.'”
Reader Peter Sullivan sent me this note two days ago:
I received a phone call this afternoon from a male with an Asian (Indian?) accent purporting to be a Dell support tech advising me that my computer had been infected with potentially damaging malware. As you can imagine, I was more than a little skeptical. After asking him several challenging questions, I said ‘I have two Dell computers, which one is infected?”
The caller gave me the Service Tag for my XPS 15 (L521x)! When I suggested that I would like to call him back, he told me that the support #s are very busy (!!) and I wouldn’t be able to get through. “ if I give you your Express Service Code will you trust me then?,” he said proceeded to give me the correct number.
I hung up and did a quick search, coming up with some problems from 2015 involving Dell System Detect that had exposed some Dell computers (I thought that I had responded to that issue). To be on the safe side I called Dell Tech Support and they told me that they don’t call … I wasn’t surprised.
Dell spokesman David Frink said the company has “no indication that customer information used in the sames reported recently were obtained through an external attack,” but he declined to respond to direct questions about whether the company had ruled out an insider attack, such as a current or previous channel partner that got hacked or illegally sold Dell customer information.
“Fact is, these phishing scams are increasingly more sophisticated, they are touching not only technology companies, but all industry, and we have devoted considerable resources to addressing them,” Frink said. “We have no indication that customer information used in the scams reported recently were obtained through an external attack. We continuously evaluate our internal physical and technical security measures to determine if there are additional efforts that would further ensure this customer data is secure. And, we investigate any customer complaint received when there is sufficient information to investigate.”
He pointed concerned Dell customers to information on the company’s site that warns customers to be on alert for phone scams.
“We also have provided an intake form to make it easy for customers to submit information for our teams to investigate,” Frink wrote in an email to KrebsOnSecurity. “We’re encouraging our customers to come to us with any information that could facilitate the investigations. We are investigating the issue, but can only do so with assist from customers who believe that someone tried to scam them. This is a continuing investigation, which by its nature, is based primarily on input from customers. We have no indication at this time that customer information used in the scams reported recently were obtained through an external attack.”
So if this wasn’t the result of a rogue partner, exactly how have the scammers managed to glean so much information about Dell customers and any previous service issues? Ars Technica’s Dan Goodin posited one possibility: That the scammers exploited a vulnerability in Dell computers that became public in November.
“It resided on Dell PCs that came pre-installed with digital certificates that made it easy for attackers to cryptographically impersonate any website on the Internet,” Goodin wrote. “The same certificate, it turned out, also allowed hackers to surreptitiously obtain the unique service tag Dell assigns to computers it sells.”
Goodin said that theory still doesn’t explain how scammers obtained contact information and support histories.
“The vulnerability, however, does demonstrate the plausibility that hackers could have devised a way to obtain personal details belonging to Dell customers,” he wrote. “For the time being, owners of Dell computers should presume their support histories and purchase and contact information has been compromised, and act accordingly.”