Hackers are using callbacks to distribute remote access software
Phishing attacks are constantly evolving and the latest versions are the most dangerous yet, a new report suggests.
Cybersecurity researchers from Trellix recently spotted an advanced version of the callback style of attack which, if pulled off successfully, robs the victims of their money, locks their computers with ransomware, and steals identity(opens in new tab) data in the process.
Callback attacks are exactly as they sound: the scammers call the victim back, and deal the final blow via phone.
Downloading the (anti)virus
This particular campaign starts the usual way, with an email. The victim receives an email confirmation of a purchase they never made, which includes a phone number the person can use to “cancel” the order.
Usually, this is where an attacker would strike, using the phone call to lure the victim into downloading remote access software, and then using that access to install malware, ransomware, or other viruses.
This campaign, however, takes it a step further. When the victims call the provided number, the person on the other end claims to have checked the database and tells them the email is spam. Then, they suggest that the victim’s computer is infected with a virus and tells them a “technical specialist” will reach out later in the day.
The second phone call leads the victim into downloading fake antivirus programs onto their endpoint, which distributes a ClickOnce executable named support.Client.exe, which installs the ScreenConnect remote access tool.
“The attacker can also show a fake lock screen and make the system inaccessible to the victim, where the attacker is able to perform tasks without the victim being aware of them,” Trellix said.
The researchers have also discovered a couple of variants to the campaign, one of which distributes fake cancellation forms through which victims share their personal details. To receive the refund, the victims need to log into their bank account. They end up being tricked into sending money to the scammers.
“This is achieved by locking the victim’s screen and initiating a transfer-out request and then unlocking the screen when the transaction requires an OTP (One Time Password) or a secondary password,” Trellix detailed.
“The victim is also presented with a fake refund successful page to convince him into believing that they have received the refund. The scammer may also send an SMS to the victim with a fake money received message as an additional tactic to prevent the victim from suspecting any fraud.”