Palo Alto Network’s Unit 42 published a report detailing a callback phishing extortion campaign orchestrated by a threat actor known as Luna Moth (aka Silent Ransom Group).
Over the past few months the campaign has targeted businesses in multiple sectors, including legal and retail. Callback phishing, also known as telephone-oriented attack delivery (TOAD) is a social engineering technique that requires a threat actor to interact with the target to achieve their goal. This method is more resource intensive, but less complex than script-based attacks, and it tends to have a much higher success rate, the researchers explained.
“This campaign leverages extortion without encryption, has cost victims hundreds of thousands of dollars and is expanding in scope… In this campaign, attackers use legitimate and trusted systems management tools to interact directly with a victim’s computer, to manually exfiltrate data to be used for extortion,” the technical write-up reads.
According to Unit 42, threat actors associated with the Conti ransomware group have extensively used this attack style in BazarCall campaigns.
A callback phishing attack usually involves a phishing email sent to a corporate email address with an attached invoice indicating the recipient’s credit card has been charged for a service, usually for an amount under $1,000. Interestingly, the email itself contains no malware and is sent using a legitimate email service to avoid being flagged by security solutions.
“Under the guise of canceling the subscription, the threat actor agent guides the caller through downloading and running a remote support tool to allow the attacker to manage the victim’s computer. This step usually generates another email from the tool’s vendor to the victim with a link to start the support session,” the researchers explained. “The attacker then downloads and installs a remote administration tool that allows them to achieve persistence. If the victim does not have administrative rights on their computer, the attacker will skip this step and move directly to finding files for exfiltration.”
Once the data is stolen the attackers sends an extortion email demanding victims pay a fee, or have their information leaked.
“Unit 42 expects callback phishing attacks to increase in popularity due to the low per-target cost, low risk of detection and fast monetization. While groups that can establish infrastructure to handle inbound calls and identify sensitive data for exfiltration are likely to dominate the threat landscape initially, a low barrier to entry makes it probable that more threat actors will enter the fray,” the researchers said.