At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Callback phishing attacks evolve their social engineering tactics

    Callback phishing operations have evolved their social engineering methods, keeping old fake subscriptions lure for the first phase of the attack but switching to pretending to help victims deal with an infection or hack.

    Successful attacks infect victims with a malware loader that drops additional payloads such as remote access trojans, spyware, and ransomware.

    Callback phishing attacks are email campaigns pretending to be high-priced subscriptions designed to lead to confusion by the recipient as they never subscribed to these services.

    Enclosed in the email is a phone number the recipient can call to learn more about this “subscription” and cancel it. However, this leads to a social engineering attack that deploys malware on victims’ devices and, potentially, full-blown ransomware attacks.

    According to a new report by Trellix, the latest campaigns target users in the United States, Canada, the UK, India, China, and Japan.

    Callback phishing attacks first appeared in March 2021 under the name “BazarCall,” where threat actors began sending emails pretending to be a subscription to a streaming service, software product, or medical services company, giving a phone number to call if they want to cancel the purchase.

    When a recipient called the number, the threat actors walked them through a series of steps that led to downloading a malicious Excel file that would install the BazarLoader malware.

    BazarLoader would provide remote access to an infected device, providing initial access to corporate networks and eventually leading to Ryuk or Conti ransomware attacks.

    Over time callback phishing attacks have emerged as a significant threat as they are now used by numerous hacking groups, including the Silent Ransom Group, Quantum, and the Royal ransomware /extortion operations.

    New social engineering tricks

    The social engineering process has changed in recent callback phishing campaigns, although the bait in the phishing email remains the same, an invoice for a payment made to Geek Squad, Norton, McAfee, PayPal, or Microsoft.

    Once the recipient calls the scammer on the provided number, they are requested to give the invoicing details for “verification.” Next, the scammer declares that there are no matching entries in the system and that the email the victim received was spam.

    Then, the supposed customer service agent warns the victim that the spam email may have resulted in a malware infection on their machine, offering to connect them with a technical specialist.

    After a while, a different scammer calls the victim to help them with the infection and directs them to a website where they download malware masqueraded as anti-virus software.

    Another variant used in the PayPal-themed phishing attacks is to ask the victim if they use PayPal and then allegedly check their email for compromise, claiming that their account was accessed by eight devices spread across various locations worldwide.

    In the security software subscription renewal campaigns, the scammers claim that the security product pre-installed with the victim’s laptop expired and was automatically renewed to extend protection.

    Eventually, the scammer directs the victim to a cancelation and refund portal, which is, again, the malware-dropping site.

    The result of all of these campaigns is convincing the victim to download malware, which could be BazarLoader, remote access trojans, Cobalt Strike, or some other remote access software, depending on the threat actor.

    Woth thanks to the Cyber defence Alliance and Bleeping Computer. The full story is here: https://www.bleepingcomputer.com/news/security/callback-phishing-attacks-evolve-their-social-engineering-tactics/

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    Here’s how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry
    Go Phishing Now!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top