A new callback phishing campaign is impersonating leading security firms to trick potential victims into making a phone call that will instruct them to download malware.
The researchers at CrowdStrike Intelligence discovered the campaign and CrowdStrike is one of the companies, among other security firms that were impersonated.
In this new campaign a typical phishing email is employed with the aim to fool a victim into replying with urgency. Here, it implies that the recipient’s company has been breached and insists that they call a phone number included in the message. If a person targeted calls the number, they reach someone who directs them to a website with malicious intent.
Usually callback campaign operators try to persuade victims to install commercial RAT software to gain an initial foothold on the network.
The researchers found the campaign similar to one discovered last year dubbed BazarCall by the Wizard Spider threat group. That campaign used a similar technique to try to persuade people to make a phone call to opt-out of renewing an online service the recipient is currently using.
The security researchers did not specify the names of other security companies that were being impersonated in the campaign. In their blog post, the researchers included a screenshot of the email sent to recipients impersonating CrowdStrike, which appears legitimate by using the company’s logo.
In this case the email informs the target that it is sent from their company’s “outsourced data security services vendor,” and that an abnormal activity” has been detected. The message claims that the victim’s IT department already has been notified but that their participation is required to perform an audit on their individual workstation.
The researchers were not able to identify the malware variant being used in the campaign. This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches.
