Categories
Security

Product recall subterfuge

Here’s one that’s so simple it must be happening already.
Spam targets with emails containing an alarming, but plausible product recall notice. Receive their details, or even their product, in return.
I received an email a few days ago from a manufacturer of computing devices, and it came from a domain I didn’t recognise, making me immediately suspicious- turned out to be genuine, but it made me think of this.

Improvements

This’ll only work if people have that device, but you may be able to sharpen your spear by frequenting owner forums (especially check out .sigs where users may inform/boast of owning a particular model), or hacking product website data. Use their name or purchase date if you can.
Don’t go overboard with the fear angle, but make it something where their worry of going out-of-warranty can be used against them. Have it be a potential issue (“23% of affected models emit smoke” after 6 months). Provide a pre-paid label to download, or even offer to pick it up via courier, minimising.
Obviously, tech devices like phones and laptops are best, anything with data on, or otherwise compromisable- a smoke alarm could be fitted with a listening device.
The recall I received was for a laptop battery, which in modern laptops are usually well sealed up, and there’s certainly likely to be some where the electrical interface contains some data lines, which may be exploitable, or merely, again, somewhere we could hide a bugging device. What’s more, the option I chose was a self-install kit, really minimising our exposure to the target, and making them less likely to reject it (who wants to be without their laptop for long?).

Defence

Mainly, go to manufacturer’s site and check for product recall there, contact support.