Security news that informs and inspires

Threat Actors Find Success in Callback Phishing Attacks


A threat actor has been using callback phishing - a known social engineering tactic that involves attackers talking to victims over the phone - as a way to download legitimate, trusted systems management tools on victim computers, with the end goal of manually exfiltrating data for extortion.

The threat actor has targeted multiple organizations across the legal and retail sectors from mid-May to late October in attacks that have cost victims thousands in dollars and have had a high success rate, according to researchers with Palo Alto Networks’ Unit 42 team. That high success rate is part of the reason that callback phishing as a method has been increasing in popularity among threat actors overall. According to an August report by Agari, hybrid voice phishing attacks like callback phishing increased 625 percent in the second quarter of 2022 over the first quarter. BazarLoader attackers were first observed leveraging this tactic in attacks that used a mix of emails and phone-based “customer service representatives” in order to direct victims to download a malicious file.

“By design, this style of social engineering attack leaves very few artifacts because of the use of legitimate trusted technology tools to carry out attacks,” said Kristopher Russo, senior threat researcher with Unit 42, in a Monday analysis. “However, Unit 42 has identified several common indicators implying that these attacks are the product of a single highly organized campaign. This threat actor has significantly invested in call centers and infrastructure that’s unique to each victim.”

The attack starts with a phishing message to a target's corporate email address, which includes an attached invoice (typically for under $1,000) and tells the target that his credit card has been charged for a service. The email includes a phone number and unique ID, and when the target calls the number to inquire about the charge he reaches a live agent that is part of an attacker-controlled call center. Under the guise of helping the target, the "live agent" then guides the target through downloading the Syncro remote support tool, enabling the threat actor to install a remote administration tool.

The threat actor then exfiltrates valuable data from the system via file transfer tools like Rclone or WinSCP and later sends an extortion email demanding the victim pays a fee or the data will be released, sometimes threatening to contact the victim's customers or clients to increase pressure to pay.

“While groups that can establish infrastructure to handle inbound calls and identify sensitive data for exfiltration are likely to dominate the threat landscape initially, a low barrier to entry makes it probable that more threat actors will enter the fray."

Over the five-month period of the campaign, researchers have noted a number of changes to the attacks that show that threat actors are evolving their tactics. The wording in the phishing email body has changed, for instance, in a likely move to avoid email protection platform detection. Also, while the extortion campaign recycled phone numbers in its early iterations, later attacks used unique phone numbers for individual victims.

“These cases show a clear evolution of tactics that suggests the threat actor is continuing to improve the efficiency of their attack,” said researchers. “Cases analyzed at the beginning of the campaign targeted individuals at small- and medium-sized businesses in the legal industry. In contrast, cases later in the campaign indicate a shift in victimology to include individuals at larger targets in the retail sector.”

Other research teams have been tracking this callback phishing campaign. Researchers with the Sygnia Incident Response team in July tied the activity to a threat actor called “Luna Moth,” which emerged in March and has launched various scamming activities that combines corporate data theft with extortion. At the same time, researchers with ADVIntel in August attributed the campaign to Silent Ransom, which they said has ties to the Conti group - but Unit 42 researchers said they cannot confirm this tie at this time and are monitoring closely for attribution.

For threat actors, the callback phishing attack requires significant investment, including setting up fake call centers and unique infrastructure for each victim. However, the leveraging of actual over-the-phone interactions, the lack of malware in the original phishing email and the abuse of legitimate tools make the attack harder to detect and less complex than script-based attacks. Because these types of attacks are so difficult to sniff out, researchers said that “employee cybersecurity awareness training is the first line of defense.”

“Unit 42 expects callback phishing attacks to increase in popularity due to the low per-target cost, low risk of detection and fast monetization,” according to Russo. “While groups that can establish infrastructure to handle inbound calls and identify sensitive data for exfiltration are likely to dominate the threat landscape initially, a low barrier to entry makes it probable that more threat actors will enter the fray.”