Cybersecurity researchers tracking the evolution of a type of phishing campaign, “Callback attacks”, have commented on their increasing sophistication and ability to dupe victims.
Callback attacks start with a fake email and end with, in some cases, victims being coaxed into downloading files purporting to be antivirus software and other legitimate apps but are in fact malware.
In some cases, Conti ransomware was downloaded onto devices within 32 hours of a backdoor being delivered to the victim.
What Are Callback Attacks?
According to Trellix, authors of a new report detailing the ins and outs of Callback attacks (often called “BazarCall” attacks), the scam typically start with a victim being emailed by someone purporting to work for a company or organization they have taken out an expensive subscription with.
Enclosed in the email is a telephone number, which the victims are coerced into ringing to cancel their subscription.
The victim is then walked through a process that culminates in malware being downloaded onto their device, usually through some sort of remote takeover of their machine. Below is a diagram (courtesy of Trellix) illustrating the attack cycle:
A Brief History of Callback Attacks
This isn’t the first time we’ve seen a callback attack rear its ugly head, but it’s still a relatively novel form of phishing and certainly departs from the standard click-the-link-here style used by many cybercriminals.
Indeed, comparatively, this is a slightly longer game. BazarCall phishing campaigns “forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling” Microsoft explains in a blog post from last year.
“It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold-called by the attacker.”
Trellix says that BazarCall campaigns first came to light in 2020, and since then, the company has charted a “constant increase” in attacks originating with such tactics.
In early 2022, it was relaunched as an attack vector by Conti, but the actors behind the operation reportedly broke from the group in April, forming the “Silent Ransom” group. Since then, the BazarCall method of phishing has been adopted by other groups.
Protecting Your Business Against Phishing
The rise of a new phishing technique is always a concern because it shows the scam is profitable, and that it could potentially even dupe tech savvy victims.
There are, however, some golden rules you can follow to seriously reduce your chance of being phished. These include:
- Not opening files received from unrecognized email addresses (even if they claim to be antivirus software).
- Treating every email with spelling mistakes with extreme caution.
- Reporting potentially suspicious emails to your IT or tech team.
- Not clicking on emails picked up by your company email’s spam filter or phishing protection function.
Remember: you can always initiate a separate and distinct channel of communication with whatever company an email you’ve received purports to be from via their contact forms online.
Although this might take a bit longer, this will ensure a) you get any legitimate issue sorted and b) you don’t engage with malicious actors. A small price to pay, all things considered.