A callback phishing campaign has been impersonating cybersecurity firms, including CrowdStrike, to lure its victims. The email claims that the recipient’s firm has been breached and urges them to call the provided phone number to stay protected.
What was found?
According to CrowdStrike, this is for the first time that a callback campaign has been discovered impersonating well-known cybersecurity entities.
- The recent campaign is believed to use legitimate RATs for initial access, off-the-shelf penetration testing tools for lateral movement, data extortion, and ransomware deployment.
- At present, the team of researchers cannot confirm the variant used in the campaign. However, the callback operators are believed to be using ransomware for monetization.
Further, it has a higher chance of success as cyber breaches are considered a significant priority to deal with.
How does the callback campaign work?
- In such campaigns, a phishing email is sent to cybersecurity firms conveying that their organization has been breached, and insists into calling a phone number included in the message.
- If the targeted user calls the number, attackers misguide the potential victim to visit a website containing malware, which could be a RAT providing them initial access, perform lateral movement using penetration testing tools, and deploy ransomware.
Similarities with previous campaigns
- This campaign has made use of similar social engineering tactics to those utilized in other previous callback campaigns such as Wizard Spider’s 2021 BazarCall campaign.
- Researchers further spotted a similar callback campaign in March 2022. In that campaign, the attackers installed Atera RMM followed by Cobalt Strike for lateral movement and deployed additional malware.
Conclusion
Cybercriminals always try to take advantage of anything that can help in achieving their nefarious objectives. Now, they have successfully impersonated cybersecurity firms to fool recipients. Thus, always stay vigilant and contact cybersecurity firms via their official website.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/85d5_shutterstock_2023663127.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/31e7_shutterstock_542608048.jpg)
