Friday, October 4, 2024
HomeCyber Security NewsCallback Phishing Attack Tactics Evolved - Successful Attack Drops Ransomware

Callback Phishing Attack Tactics Evolved – Successful Attack Drops Ransomware

Published on

Trellix released a recent report on the evolution of BazarCall social engineering tactics. Initially BazarCall campaigns appeared in late 2020 and researchers at Trellix noticed a continuous growth in attacks pertaining to this campaign.

Reports say at first, it delivered BazaarLoader (backdoor) which was used as an entry point to deliver ransomware. A BazaarLoader infection will lead to the installation of Conti Ransomware in a span of 32 hours.

It was also found to be delivering other malware such as Trickbot, Gozi IFSB, IcedID and more. In this case, “BazarCall has ceaselessly adapted and evolved its social engineering tactics”. These campaigns were found to be most active in United States and Canada. They were also targeting some Asian countries like India and China.

- Advertisement - EHA

What is BazarCall?

BazarCall begins with a phishing email but from there deviates to a novel distribution method – using phone call centers to distribute malicious Excel documents that install malware.

In BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.

Figure. 1: Attack Chain
Attack Chain

Evolution of Bazarcall Social Engineering Tactics

Trellix categorize the attack flow of the BazarCall campaigns into three phases: First through Phase 1 – The bait, where the delivery vector is a ‘fake notification email’ which tells the recipient about a charge levied on their account for purchase/renewal of a product/subscription.

It includes information like Product Name, Date, Model, etc. with a unique invoice number used by the scammer to recognize the victim.

Also, the email says that the victim can call the phone number for any queries or cancellation requests. Researchers say the information was there in the email body or as a PDF attachment.

Figure. 2: Sample emails
Sample Emails

Researchers say this campaign was seen impersonating many brands like Geek Squad, Norton, McAfee, PayPal, Microsoft etc.

In Phase 2, when the recipient calls the scam call center, manipulating the victim into downloading and running malware on their system. Recipient is requested to give the invoicing details for “verification.” After that, the scammer declares that there are no matching entries in the system and that the email the victim received was spam.

Then the customer service agent informs the victim that the spam email may have resulted in a malware infection on their machine, offering to connect them with a technical specialist.

Then, a different scammer calls the victim to assist them with the infection and directs them to a website where they download malware masqueraded as anti-virus software.

Various websites used in the recent BazarCall campaigns
Various websites used in the recent BazarCall campaigns

In the security software subscription renewal campaigns, the scammers claim that the security product pre-installed with the victim’s laptop expired and was automatically renewed to extend protection. Then the scammer directs the victim to a cancelation and refund portal, which is also the malware-dropping site.

In the final phase, the malware is executed and it is used to carry out financial fraud or push additional malware to the system.

Trellix mentions that the majority of these recent campaigns are pushing a ClickOnce executable named ‘support.Client.exe,’ that, when launched, installs the ScreenConnect remote access tool.

“The attacker can also show a fake lock screen and make the system inaccessible to the victim, where the attacker is able to perform tasks without the victim being aware of them,” explains Trellix.

To receive the refund, the victim is urged to log in to their bank account, where they are tricked into sending money to the scammer instead.

“This is achieved by locking the victim’s screen and initiating a transfer-out request and then unlocking the screen when the transaction requires an OTP (One Time Password) or a secondary password,” explains the Trellix report.

“The victim is also presented with a fake refund successful page to convince him into believing that they have received the refund. The scammer may also send an SMS to the victim with a fake money received message as an additional tactic to prevent the victim from suspecting any fraud.”

Trellix Email security provides reliable detection from BazarCall campaigns by preventing such emails from ever reaching your system.

Get Your Copy of Free DDoS Protection Whitepaper to learn types of DDoS Attacks

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Doppler Launches ‘Change Requests’ to Strengthen Secrets Management Security with Audited Approvals

Doppler, the leading platform in secrets management, today announces the launch of Change Requests,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...