Cyber attackers are increasingly using new social engineering methods with new tactics to lure potential victims. Recently, a campaign was found using callback phishing tactics, pretending to be related to high-cost streaming services being charged to the victims.
Old attack with a twist
First observed in March 2021, callback phishing was first used by BazarCall, notifying victims about a free trial for a medical service subscription. The attacks have now evolved. While they still use fake subscription lures for the first phase, they have switched to the pretense of helping victims deal with a cyberattack or infection.
The latest campaign has been targeting users in the U.S., the U.K, Canada, India, Japan, and China, and has several variations.
How it works?
- The phishing emails pretend to be an invoice for payment against service from Microsoft, Paypal, McAfee, Geek Squad, and Norton.
- When the victim calls on the provided number, they are requested to provide some details for verification purposes. However, upon providing the details, the scammer reverts saying that there are no match records and the invoice was spam.
- Moreover, they warn the victims to check their system for any malware infection, which may be causing them to receive such spam. If the victim falls for this, he is asked to connect with a technical support guy, who initiates phase 2 of the attack.
- The so-call support agent directs the victim to a website and convinces them to download a so-called anti-virus, which is actually malware.
- In a majority of the campaigns, the attackers push an executable file named 'support.Client.exe,' which is actually an installer for the ScreenConnect remote access tool.
Other variants of the attack campaign
- In one variation, the attackers send PayPal-themed phishing emails, asking users to check for compromise of their account.
- In a separate scenario, scammers tell victims that the security product pre-installed with the victim’s device has expired and is renewed automatically with the victim’s account. To cancel that subscription, the victim is asked to access the refund portal, which is a malware-dropping website.
Ending notes
With ever-evolving tactics, cybercriminals are getting better at luring and convincing their victims into making transactions in their favor. In this case, even when canceling any subscriptions, users are suggested to follow authenticated channels (official company website or app).
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/47de_shutterstock_2086992049.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/5370_shutterstock_1042201660.jpg)
