‘Callback’ Phishing Campaign Impersonates Security Firms

A new callback phishing campaign is impersonating prominent security companies to try to trick potential victims into making a phone call that will instruct them to download malware.

Researchers at CrowdStrike Intelligence discovered the campaign because CrowdStrike is actually one of the companies, among other security firms, being impersonated, they said in a recent blog post.

The campaign employs a typical phishing email aiming to fool a victim into replying with urgency—in this case, implying that the recipient’s company has been breached and insisting that they call a phone number included in the message, researchers wrote. If a person targeted calls the number, they reach someone who directs them to a website with malicious intent, they said.

“Historically, callback campaign operators attempt to persuade victims to install commercial RAT software to gain an initial foothold on the network,” researchers wrote in the post.

Researchers likened the campaign to one discovered last year dubbed BazarCall by the Wizard Spider threat group. That campaign used a similar tactic to try to spur people to make a phone call to opt-out of renewing an online service the recipient purportedly is currently using, Sophos researchers explained at the time.

If people made the call, a friendly person on the other side would give them a website address where the soon-to-be victim could supposedly unsubscribe from the service. However, that website instead led them to a malicious download.

CrowdStrike also identified a campaign in March of this year in which threat actors used a callback phishing campaign to install AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware, CrowdStrike researchers said.

Impersonating a Trusted Partner

Researchers did not specify what other security companies were being impersonated in the campaign, which they identified on July 8, they said. In their blog post, they included a screenshot of the email sent to recipients impersonating CrowdStrike, which appears legitimate by using the company’s logo.

Specifically, the email informs the target that it’s coming from their company’s “outsourced data security services vendor,” and that “abnormal activity” has been detected on the “segment of the network which your workstation is a part of.”

The message claims that the victim’s IT department already has been notified but that their participation is required to perform an audit on their individual workstation, according to CrowdStrike. The email instructs the recipient to call a number provided so this can be done, which is when the malicious activity occurs.

Though researchers were not able to identify the malware variant being used in the campaign, they believe with high likelihood that it will include “common legitimate remote administration tools (RATs) for initial access, off-the-shelf penetration testing tools for lateral movement, and the deployment of ransomware or data extortion,” they wrote.

Potential to Spread Ransomware

Researchers also assessed with “moderate confidence” that callback operators in the campaign “will likely use ransomware to monetize their operation,” they said, “as 2021 BazarCall campaigns would eventually lead to Conti ransomware,” they said.

“This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches,” researchers wrote.

Further, they stressed that CrowdStrike would never contact customers in this way, and urged any of their customers receiving such emails to forward phishing emails to the address csirt@crowdstrike.com.

This assurance is key particularly with cybercriminals becoming so adept at social engineering tactics that appear perfectly legitimate to unsuspecting targets of malicious campaigns, noted one security professional.

“One of the most important facets of effective cybersecurity awareness training is educating users beforehand on how they will or will not be contacted, and what information or actions they may be asked to take,” Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, wrote in an email to Threatpost. “It is critical that users understand how they may be contacted by legitimate internal or external departments, and this goes beyond just cybersecurity.”