A callback phishing campaign was launched to trick users to believe that they are authentic cybersecurity providers. The hackers “alert” potential targets with a data breach notification and request them to call back for assistance, leading to phishing.
The instances came to light when email campaigns asking about recipients’ companies started cropping up in July. Attackers sent professional emails that resembled emails from legitimate cybersecurity companies. The email would alert users of possible threats in their network leading to panic. To secure their network, many would call the hacker back. Following this the hacker would ask them to install commercial RAT software, leaving the caller compromised.
According to the report, hackers use fraudulent phone numbers that seem relatable to the users and convince the victim to share their details. Using more complex and sophisticated morphing techniques, hackers claim to solve the issue faked by them. During the process, the hackers use the victims’ browser history to gain access to their recent activities and use it to entrap them. The browser history was also used to gain victims’ trust and persuade them to click on phishing links and call on fraudulent phone numbers.
It was speculated that for such fraudulent campaigns, common remote access tools (RATs) are deployed for access. Furthermore, off-the-shelf penetration testing tools for lateral movement and deploying ransomware or data extortion tools are also suspected to be included in the packages.
These tricks are used to monetize users’ confidence by accessing their credentials. CrowdStrike Intelligence hasn’t been able to confirm the exact variant of malware used however, they have reported that this is the first identified callback campaign impersonating cybersecurity entities.
Meanwhile, CrowdStrike and other cybersecurity companies have also released notices to let users know of such schemes and malware being live as threats to user security.