Based on recent studies about the callback phishing attack tactic, researchers found that hackers are now pretending to help victims with computer malware or hacker issues to lure them into installing malicious payloads, such as spyware and ransomware, into their devices.
Originally, callback phishing campaigns focused on threat actors sending fake email notifications to the victims about an alleged subscription to any brands or software products. The malicious emails attached a phone number the victims may call should they want to cancel the said subscription.
Once the victim calls the number, a threat actor will instruct them on some steps that lead to downloading the BazarLoader on their computer. This malware aids the threat actors with remote access for ransomware attacks.
The new callback phishing campaign uses a social engineering trick where hackers pretend to be security assistance for malware infection issues.
According to the analysis of this new campaign, the threat actors send malicious emails to the victims about an alleged invoice payment for several cybersecurity tools, including Norton, McAfee, Geek Squad, and Microsoft. The actors also use PayPal’s brand name in some instances.
After the victim calls the phone number in the email, the threat actor will ask for their verification details and then let them know that there are no matching entries on their system and that the said email could be from a “hacker.” At this point, the threat actor will transfer the call to another operator to assist the victim with a potential purported malware infection.
This new operator will instruct the victim to open a website and download fake anti-virus software, which hides malware that will be launched to the victim’s computer once they downloaded it. Experts explain that the threat actors could inject various malware payloads into the victims’ devices, such as remote access trojans, spyware, BazarLoader, Cobalt Strike, and more.
As callback phishing campaigns become effective attack tactics for many ransomware groups, researchers have seen some association in some of the identified operations, including the Royal, Quantum, and Silent Ransom ransomware.
The countries most affected by these campaigns are the US, Canada, India, China, Japan, and the UK. Thus, people from these regions are advised to be more alert and avoid engaging with suspicious phone calls that ask you to install any software that could lead to an actual malware infection.
