Security Vendors Impersonated in Callback Phishing Campaign

The cybersecurity vendor CrowdStrike has issued a warning about a callback phishing campaign that attempts to trick employees at businesses into visiting a malicious website. Initial contact is made via email, which instructs recipients to make a phone call as part of a security audit.

According to one of the emails obtained by researchers at Crowdstrike, contact is made due to an alleged data breach at the cybersecurity firm. The emails include the CrowdStrike logo and correct head office address, and they are devoid of the usual spelling mistakes and grammatical errors that are often found in phishing emails.

The emails say that a data breach has occurred that has potentially affected the user’s workstation and others on the network, and in response, CrowdStrike is conducting a security audit. Rather than include any malicious content in the email body or attachments, the user is told to call the CrowdStrike team. They are told that CrowdStrike has notified the IT department at their company, which instructed the cybersecurity firm to make contact with each employee directly.

If the employee makes the phone call, they are directed to a malicious website. While the malicious actions performed have not been confirmed, CrowdStrike said that callback phishing scams such as this are often used to trick individuals into downloading Remote Access Trojans (RATs). The RATs provide the attacker with access to the network, which is often sold on to ransomware gangs. A similar campaign was conducted by the Wizard Spider threat group last year. Wizard Spider was behind Ryuk ransomware.

Another callback phishing scam was detected last year that used similar tactics, which tricked users into downloading AteraRMM, which was used to deploy Cobalt Strike, which allowed lateral movement and the downloading of malware. CrowdStrike believes the campaign will similarly be used to install a RAT, and that the attack will follow a similar pattern, although the malware being deployed in this campaign has not been identified. CrowdStrike said other cybersecurity companies appear to have been impersonated, but neglected to say which companies they were. CrowdStrike confirmed that it would never contact employees of customers in this manner.

Callback phishing scams such as this may not be detected by email security solutions, as the emails themselves are not malicious and do not include some of the most typical signs of phishing. Web filtering solutions may offer protection and could prevent the user from visiting the malicious website where malware is downloaded, but the key to reducing susceptibility to callback phishing is security awareness training. Employees need to be educated about the different types of phishing attacks, including callback phishing. Phishing simulations should also be conducted on the workforce to assess susceptibility to phishing, and simulations of callback phishing attacks should be included in simulations.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of