Phishing, Content, Malware, Ransomware

New Callback Malware Campaign Impersonates Legitimate Cybersecurity Providers

Credit: Getty Images

How can hackers continue to dupe unwitting users into handing over their credentials even though organizations can block millions of email-based phishing attacks?

Answer: Because hackers are continually morphing their attack methods to be more complex and sophisticated.

Users and MSSPs should be on the lookout for one of the latest ruses. In a recent instance, hackers tricked targets by pressuring them to call back fraudulent phone numbers that they claim are from well-known cybersecurity providers to resolve an issue, such as to cancel a cybersecurity subscription service or other faked problems. When the unaware user calls the return number, they are tricked into providing confidential credentials. This allows the hackers access to the corporate network or to ultimately to lock it up with ransomware.

"This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches,” CrowdStrike said in a blog post.

Email Fraud Campaign Surfaces

CrowdStrike said it first identified the fraudulent email campaign in which it was involved earlier in July.

Here’s how the hackers carry out the heist (via CrowdStrike):

  • A phishing email says the recipient’s company has been breached and insists the victim call the included phone number.
  • The callback campaign employs emails that appear to originate from prominent security companies
  • The message claims the security company identified a potential compromise in the recipient’s network.
  • Similar to other callback campaigns, the operators provide a phone number for the recipient to call.
  • The campaign leverages similar social-engineering tactics to those employed in recent callback campaigns, including WIZARD SPIDER’s 2021 BazarCall campaign.

Questions Remain

The campaign will "highly likely" include common legitimate remote administration tools (RATs) for initial access, off-the-shelf penetration testing tools for lateral movement, and deploy ransomware or data extortion, CrowdStrike said.

While the company currently can’t identify the ransomware variant, it believes ransomware is used to monetize their operation, making its assessment with “moderate confidence.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.