Cybersecurity firms impersonated for a callback phishing campaign

July 13, 2022
Cybersecurity IT Firms Impersonation Fraud Prevention Callback Phishing Cyberattack Campaign Tech Support

Earlier this month, the CrowdStrike Intelligence company spotted a callback phishing attack that impersonated numerous cybersecurity firms, including them. The threat actors used a social engineering attack tactic to deceive their targets.

The callback phishing campaign allegedly impersonated the targeted company and disseminated several warning emails to different clients. The phishing email contained a message informing victims that their cybersecurity firm partner had been hacked and instructed the victims to call the attached phone number.

This new campaign takes advantage of standard social-engineering strategies originated from the old callback phishing campaigns. Some of the methods for this attack overlap the strategies used in last year’s WIZARD SPIDER BazarCall campaign.

Hence, this latest phishing campaign will likely adopt standard legitimate remote administration tools for off-the-shelf penetration testing tools for lateral movement in the infected device. Moreover, the phishing attack will use RATs for initial access and the launch of data extortion or ransomware.

 

The callback phishing campaign’s email appearance will most likely deceive unaware users.

 

Researchers noted that the callback phishing campaign uses emails that look much like an original email from a large cybersecurity company. The message in the email claims that the affected security firm spotted a potential infection in the recipient’s network that needs to be addressed immediately. Then, the recipient will contact the attached number without hesitation since the email looks legitimate.

Callback campaign operators usually attempt to deceive or convince victims to install commercial remote access trojans to obtain an initial persistence on the network. One example of this attack is a similar callback incident in March. The threat actors installed an AteraRMM followed by Cobalt Strike to aid the malware with lateral movement and launch additional payloads.

Unfortunately, the affected security firm still cannot confirm the variant used by the threat actors for this campaign, but the operators may monetise it using ransomware.

Moreover, the security firm’s assessment would eventually lead to the attribution to Conti ransomware like the 2021 BazarCall incident. Conti is still making headlines despite its recent shutdown.

Also, this is the first identified Callback attack that impersonates cybersecurity entities. The operators have cleverly used this tactic as users will likely bite their bait since cybersecurity breaches are very lethal.

About the author

Leave a Reply