‘Callback’ phishing campaign impersonates security firms

<strong>‘Callback’ phishing campaign impersonates security firms</strong>

A new report has emerged on how a new callback phishing campaign is impersonating popular security firms to trick potential victims into having a phone call that would instruct them to install malware.

CrowdStrike Intelligence researchers found the campaign because CrowdStrike is one of the firms being impersonated.

The campaign uses a phishing email to try to fool victims into replying with urgency, suggesting that the recipient’s firm has been breached and insisting that they call a number included in the message.

When a person targeted calls the number, it’ll get to someone who directs them to a malicious-intent website.

The researchers said, “Historically, callback campaign operators attempt to persuade victims to install commercial RAT software to gain an initial foothold on the network.” 

Also, the researchers associated the campaign with an incident seen last year called BazarCall by the Wizard Spider threat group. 

The campaign employed a related tactic to influence people to make a call, opt-outing of renewing a service the recipient is presently using.

Meanwhile, the researchers didn’t specify the other security firms that are being impersonated in the campaign. They added a screenshot of the email delivered to recipients impersonating CrowdStrike that appears legitimate with the firm’s logo.

The email tells the target that it comes from the firm’s “outsourced data security services vendor” and that “abnormal activity” has been detected on the “segment of the network of which your workstation is a part.”

The information claims that the recipient’s IT department has been told already but that their participation is needed to conduct an audit on their respective workstations.

The email tells the victim to call a provided phone number so it can be done, signifying the occurrence of the malicious activity.

Although researchers couldn’t identify the malware variant utilized in the campaign, they think it’ll involve “common legitimate remote administration tools (RATs) for initial access, off-the-shelf penetration testing tools for lateral movement, and the deployment of ransomware or data extortion.” 

The potential use of Ransomware

Researchers have also assessed that callback operators may likely utilize ransomware to monetize their activities.

According to the CrowdStrike researchers, “This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches.”

The researchers disclosed that CrowdStrike would never contact or call customers in that way. They urged customers getting the message to forward the phishing emails to csirt@crowdstrike.com.

This CrowdStrike’s assurance is vital as cybercriminals are becoming adept at tactics that seem legitimate to unsuspecting individuals.

Generally, there’s a need for awareness. A cybersecurity expert, Chris Clements, offers an insight, “One of the most important facets of effective cybersecurity awareness training is educating users beforehand on how they will or will not be contacted, and what information or actions they may be asked to take.”

Users are advised to understand how they might be contacted or called by legal external or internal departments, even beyond cybersecurity.

Photo by Stillness InMotion on Unsplash