New Dell Tech Support Scams Have Customers Worried Company Was Hacked

Trailrunner7 writes: A new twist on the fake tech support scam has arisen that has victims wondering whether Dell has been hacked.There has been a recent rash of calls to Dell customers in which the caller says he is from Dell itself and is able to identify the victim's PC by model number and provide details of previous warranty and support interactions with the company.

These are details that, it would seem, only Dell or perhaps its contractors would know. One person who was contacted by the scammers wrote a detailed description of the call, and said the caller had personal details that could not have been found online. Dell officials say they're looking into it.

Service Tags don't require log-in to check

[Not-a-Neg]

Service Tags are rather short, if you brute force guessed existing service tags would it give enough personal info (first/last name) to then do a phone directory look-up to get enough info to know your number, name, service tag, etc...?

Re:Service Tags don't require log-in to check

[vux984]

Service Tags are rather short, if you brute force guessed existing service tags would it give enough personal info (first/last name) to then do a phone directory look-up to get enough info to know your number, name, service tag, etc...?

Brute force guessing valid tags is trivial: Here's one i made up by changing some digits around from one I had: FCKBRK1

Other than the country in which it was, and when it was shipped, and when the warranty ended, I'm not seeing anything useful for identifying who owns it.

I'm expecting dell itself was breached, or one of its support contractors.

Dell "privacy" policy is bullshit, IMO

[argStyopa]

More than a decade ago, I'd ordered my small business's desktops from Dell. Might have been a couple of times, actually.

A few years later, I was looking up drivers or somesuch, and noticed that oddly, the login screen for my Dell account had me misidentified as "Ben".

(My name is nothing like Ben.)

Then I saw a WAVE of spam, as well as dead-tree mail spam, all addressed to "dear Ben".
Dell INSISTS that they didn't sell my name to spammers.
Despite complaining to Dell, last time I checked it still calls me Ben, and I continue to get spam occasionally addressed to Ben.

Seems pretty clear to me.

Dell's been "looking into it" for months

Anyone notice that that the link is to a forum post from SIX MONTHS ago? And here's a post in Dell's forum about the problem in 2014 -- so, *18* months ago.

http://en.community.dell.com/s...

Is Dell unable to address this problem -- so they're just hoping it goes away?

That info is easy to get.

[farrellj]

You can get a great deal of information from the "service tag" on your Dell equipment. Every piece of Dell equipment has one, and you can get the entire service history through the Dell website. This is very useful for service types, both inside and outside Dell. But it sounds like some people are abusing that, and I fear that will cause Dell to shut down or limit access to that service. :-(

Re:That info is easy to get.

[gstoddart]

Yeah, with my service tag and NO other authorization Dell gave me my Express Service code.

From there it was a captcha away from being able to log into the warranty page, which I didn't bother doing.

This tells me there is probably VERY little authentication around something which is a relatively short and formulaic looking identifier.

If you need no real authentication and a captcha to get this information, then this service should be shut down. Because it basically would suggest they'll provide a tremendous amount of information for pretty much anybody who can come up with a single number.

If all it takes is auto-generating a bunch of possible service tags and brute forcing it, then Dell are fucking idiots who are just handing out your information like candy.

This is a system which is just begging to be exploited, because it's almost wide open.

Bah ...

[gstoddart]

It's the same bloody call center they use for support in the first place.

If they have information that specific either Dell has been hacked, or these guys for the information directly from Dell for a supposedly legitimate purpose.

When will people get it through their heads: incoming phone calls are inherently not trustworthy because the lobbyists for telemarketing companies have ensured caller ID spoofing is legal.

If someone calls you claiming to be from an entity you have a relationship with, tell them you'll only talk to them if you can call them on a number you can get from the official company web page.

I no longer give callers the benefit of being polite to them; I start out fairly hostile and either climb down or rapidly escalate from there. Because 90% or more of the incoming calls I've received in the last few years are fraudulent.

Between "the Microsoft support", or the "Air Duct cleaning" assholes, or that twat from cardholder services who wants to get me a lower rate ... it's all lies.

Best thing I ever did was get a Panasonic cordless phone which will drop all calls from "Unknown", "Unavailable", and "Private Caller". And for the rest, well, caller ID is a lie anyway, so I don't trust that.

Hell, a few times I've phoned myself to try to scam myself.