New Callback Phishing Tactics Used to Gain Access to Devices

Ransomware gangs have resurrected a callback phishing technique for gaining initial access to networks, where initial contact is made with the victim via email and a telephone number is provided for the victim to call, along with an important reason for making contact. This is usually a pending charge for a fake subscription to a product or service or a free trial that is due to come to an end, resulting in a charge being applied.

Callback phishing has proven successful, as since the emails contain no malicious content other than a phone number, the emails are usually not detected as malicious and are delivered to inboxes. The pending payments for subscriptions are sizable, which encouraged the victims to make the call. The phone line is manned by the threat actor or an affiliated entity who uses social engineering techniques over the phone to trick the victim into downloading a malicious file, or commonly, opening a remote control session with the attacker, who then deploys malware on their device.

These tactics were used by the Ryuk ransomware gang, although when that operation was shut down, new tactics were adopted to gain access to networks; however, recently, the callback phishing campaigns have recommenced. When first detected the campaign was dubbed BazarCall, as the aim was to deliver BazarLoader malware, which was in turn used to deliver the ransomware payload. Several ransomware operations have now adopted this tactic, including Quantum, Royal, and the Silent Ransom Group.

In these campaigns, the emails advise the recipient that an invoice is due for payment for products or services provided by GeekSquad, PayPal, McAfee, Norton, or Microsoft, typically for a few hundred dollars. In the BazarCall campaign, when the call was made, the victim was tricked into downloading a malicious file; however, a new approach is now being employed. When the caller is asked for the invoice number to verify the account and charge, they are told that no such invoice exists and that the email is spam, and warns that opening the email may have resulted in a malware infection. They then offer to connect the caller with an IT specialist who can check.

After the caller hangs up, a call is made by another individual who claims to have been provided with their details regarding a potential malware infection and offers help to remove the malware. The victim is directed to a website to download fake antivirus software, which if executed, will install malware that provides the threat actor with access to their device. A variation of this scam is conducted using fake notifications from PayPal, in which the victim is told that their PayPal account was compromised and has been accessed by an unauthorized individual on multiple occasions.

A third variation involves a scam where the victim is told that Norton security software that was installed on their device prior to purchase has expired and needs to be renewed, with the user directed to a website to download the latest version of the software or to download a program that needs to be run as part of the cancellation process.

These scams were recently identified by security researchers at Trellix, who note that in all variants, the scammer asks the caller for the invoice ID, which is uniquely generated for each email. That allows the scammer to pull up the relevant invoice and use the information to convince the victim that they have all their information and are who they claim to be. In most cases, the file the user downloads is called Support.Client.exe, or a similarly named file.

In one of the campaigns, malware is downloaded and executed, and a fake lock screen is displayed, which temporarily prevents the victim from using their device. In the background, the attacker performs tasks without the victim being aware. These lock screens have also been used on one campaign where the victim is told they must log in to their bank account to complete the refund process. The victim is tricked into making a payment under the guise of completing actions to allow the refund to be processed. The lock screen is used when they have logged into the account, with the attacker processing a transfer out of the victim’s account behind the lock screen, then unlocking the screen when a one-time password or security question needs to be answered. In this campaign, an SMS message is sent to the victim to advise them that the refund has been processed, to make it less likely that they will log into their account and see the transfer and try to block it.

These callback phishing scams are convincing. If you receive an unsolicited message for a service or product you have never used or subscribed to that alleges an invoice is due, make contact with the company in question using contact information obtained from a trusted source, and never use the contact number supplied in the email. If you do use one of the products, log into your account using previously verified methods to check the legitimacy of any claims.

Due to the increasing number of these callback phishing campaigns, businesses should incorporate these methods into their security awareness training programs and phishing simulations to prepare the workforce should such a threat be encountered.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of