Callback Phishing And Social Engineering Scams, What They Are And How To Avoid Them

callback phishing social engineering scams news
Researchers at the cybersecurity firm Trellix have been keeping tabs on a sophisticated phishing campaign, known as BazarCall, since it first drew attention in 2020. This campaign evolved over time, pioneering a social engineering technique called "callback phishing" that is now employed by many different threat actors in various campaigns. Victims of this tactic end up unknowingly infecting their devices with malware or ransomware at the direction of a threat actor playing the role of a customer support agent.

callback phishing fake invoices news
Fake invoices sent as part of a callback phishing attack (source: Trellix)

A callback phishing attack begins with an email containing a fake invoice for the purchase of a pricey subscription or some other expensive item. The invoice is designed to look legitimate, often including branding from a reputable company or payment service, such as PayPal, but is simply meant to grab the recipient’s attention. Alarmed by the unexpected appearance of a costly invoice, the recipient may decide to call the customer support number listed in the email in order to dispute the charge.

Unfortunately for the recipient of the email, calling the phone number included in the email is exactly what the threat actor behind a callback campaign wants the email recipient to do. The phone number connects callers directly to a scammer who masquerades as a customer support agent. The scammer can then use various social engineering methods to trick callers into installing malware on their systems.

callback phishing malicious support websites news
Malicious websites used in callback phishing attacks (source: Trellix)

In some cases, callback phishing scammers tell callers that the invoices they received are spam and may be an indicator that their computers are compromised in some way. In other cases scammers ask callers for their IP addresses, then inform the callers that the faulty invoices are related to purchases made from a different IP address in a suspicious location. Regardless of the form the social engineering takes, the scammer ultimately directs callers to a fake support website, where the callers are asked to download and run an executable file that is supposed to help solve the manufactured problem in some way.

Running this file triggers the final stage of the attack, at which point some form of malware is installed on the victim’s system. The malware may install additional malicious packages, encrypt the victim’s files as part of a ransomware attack, or aid the scammer in completing some form of payment fraud by giving the scammer remote access to the victim’s computer under the guise of providing further support.

The first and foremost step users can take to avoid falling victim to these kinds of phishing attacks is not calling any phone numbers listed in unexpected invoices. Those wishing to dispute some kind of charge with a legitimate company should ignore any links or phone numbers included in an email invoice and instead go directly to the company’s official website to find a support number or chat service. Users could also check their bank accounts and credit cards to see whether they were actually hit by any unexpected charge or not. There’s no need to dispute a faulty charge if it’s fake to begin with.

If, for some reason, users find themselves on the phone with a customer support agent who directs them to download and open or execute some file, users shouldn’t be eager to comply. They should instead ask clarifying questions about the purpose and function of the file. Users may even want to hangup and search the web or ask friends and family members with more technical knowledge for advice. If users decide to download the file, they should upload the file to VirusTotal, which scans files with over 70 different antivirus tools to check for the presence of malware. If VirusTotal doesn’t determine the file to be malicious, users shouldn’t take this result as an indisputable judgment that the file isn’t malicious.

The overall takeaway here is that that users should always be hesitant to run a file or install software on their devices at the direction of customer support. Cybercriminals often use urgency as a social engineering tactic, but users should do their best not to buckle under pressure.