CallBack phishing is a spearphishing method used by Ransomware threat actors as an initial access method.
In practice, it involves ursuper the identity of legitimate platforms or companies by sending emails claiming that the victim has been or will be charged for a service. Then, she urges victims to call a listed phone number for further clarification.
By calling this number, the victim is directed to a call center service created for the occasion, by the authors of the threat. Over the phone, a “customer service representative” then seeks to gain remote access and distribute malware and/or steal data from the victim’s network.
As you can see, callback phishing is a method that uses relatively advanced social engineering tricks, interfering with those of tech support scams to gain remote access.
This method, also known as BazarCall, first appeared at the beginning of 2021. It was then used by Ransomware groups such as Ryuk and later Conti followed by Luna Moth (aka Silent Ransom aka TG2729), Quantum and Roy/Zeon (aka Royal).
As explained by our CTI analysts in their report on the state of the ransomware threat in the second quarter of 2022, the use of callback phishing among ransomware threat actors continues to grow. In the second quarter of 2022, it increased by 625% compared to the first quarter of 2021.
They also believe that more personalized versions of callback phishing campaigns could emerge in the future and hinder tracking and detection efforts. Especially since the phishing messages used do not include malicious components per se. Their use by cybercrime groups could therefore increase in 2023.
Read more about this SEKOIA report. IO focused on ransomware threat news, click on this link: https://blog.sekoia.io/sekoia-io-ransomware-threat-landscape-second-half-2022/.
SEKOIA.IO is a European cybersecurity software company. Through cyber threat intelligence and the automation of defense capabilities, we give systems protection teams the advantage of detecting IT threats before impact. Our products include a threat intelligence tool, an XDR platform on which you can interconnect without constraint, the security solutions necessary to protect your infrastructure but also automate your actions thanks to SOAR.