The number of phishing campaigns in the past few months has skyrocketed in an unprecedented way. Such attacks normally involve links to fake landing pages that include malicious attachments. However, recently, threat actors have shifted their methods and are now using the “callback” technique in their malicious practices.
We’ve seen this before. The attacker impersonates a reputable company that offers a huge deal, job offer, or anything of the sort. But now, their phishing campaign includes preying on the targets’ “fear” factor.
The attackers are disguising themselves as well-known cybersecurity companies such as CrowdStrike and warn the victims of unusual activity within their network. What happens then? How are the threat actors operating? We’ve discussed everything below.
Callback Phishing Attack – A Number You should Never Dial
As we mentioned, using the callback technique in phishing attacks has become very common in recent months. If an attacker has direct contact with the victim, he/she can ensure that everything goes according to plan.
The entire operation starts exactly how a phishing attack should. The victims receive an email from the attacker disguised reputable entity. In this case, it’s the popular cybersecurity company CrowdStrike. There are other companies the threat actor is using, but this one is the most notable.
We’ve provided a snippet of the fake email below:
“During the daily network audit we have identified abnormal activity related to the segment of the network which your work station is part of.
We have identified the specific domain admin which administered the network and suspect a potential compromise that can affect all workstations within this network including yours. Therefore, we are performing detailed audit of all workstations.
We have already reached out directly to your information security department, however, to address potential compromise of location workstation, they referred us to the individual operators of these workstation, i.e. employees.”
As seen in the image above, the form is quite convincing, which can trick a lot of users out there. Unlike other phishing emails, this one doesn’t include a malicious link.
Instead, the attackers include a phone number that the victims should use to contact them directly. It’s all about social engineering since the threat actors should explain in detail why they should be given access to a recipient’s device.
If they can’t convince them, their whole operation fails. However, if they fell for the trick, the hackers would guide the employee through an installation process.
We all know what they’re installing – remote administration tools (RATs) that provide the attackers complete control over the workstation.
Callback Phishing – The Call with a Malicious Mole
The use of callback phishing dates back to 2021. In fact, one of the first groups to implement it was none other than the Conti ransomware gang. They used it to gain initial access to corporate networks.
Now, Conti ransomware has ceased its operations, which encouraged more operators to follow in their footsteps.
In other words, things are looking very bad for companies and organizations as so many cybercriminals are looking to make a name for themselves. To read the full report, you can check what the actual Crowd Strike company had to say.