If your eyes glaze over when you see warnings about phishing because your employees know better than to open suspicious links or attachments at this point, it’s time to snap to attention. Phishing is getting much more sophisticated—because in some ways, it’s getting simpler.
Carrying out a phishing attack has historically required a certain technical skill level; the threat actor would need the ability to create a malicious link or PDF. Phishing has evolved in a way that has lowered the barrier to entry. All you need in the initial stages is someone to pick up the phone.
It’s called “callback phishing,” and if your employees aren’t made aware of it, they could very easily fall victim to it. Here’s a look at the rise of callback phishing, an example of a threat actor who used the attack vector, and how organizations and their employees can learn to spot and block these attempts.
The Evolution of Callback Phishing
Agari’s Q2 2022 Quarterly Threat Trends & Intelligence Report noted a slight increase in phishing attacks, which were up 6% compared to Q1. Still, a major surge in hybrid vishing. It saw 625% growth quarter-over-quarter. Vishing, ”voice phishing," or “callback phishing” includes not just an email but a phone call, hence the hybrid nature.
The attack starts as a phishing email whose sender is masquerading as a company or vendor. The email typically informs the recipient they need to renew a subscription, pay a bill, or see to their account in some other way. The email contains a customer service phone number that the recipient is instructed to call to rectify the issue.
As for who these emails can purportedly be from, some threat actors do gather open-source intelligence on targets to identify vendors the recipient’s company actually uses, but generally they’re casting a wide net. The company they’re impersonating doesn’t have to be a vendor the business uses.
The key part is convincing the employee that a call is needed to tend to the matter. And once the employee dials the customer service number, they’ll unknowingly be greeted on the other end by a threat actor. The attacker might attempt to collect confidential information to validate the “transaction” or direct the caller to install a legitimate remote access tool. The victim’s accounts are essentially compromised by the time the call ends.
Phishing has developed into an ecosystem or marketplace. As previously mentioned, only a low level of sophistication is needed to get in the door. These low-level groups are the ones who run the call centers. Once they get a potential victim on the phone and convince them to take an additional step, they then hand off or sell that access to a more sophisticated actor.
What’s troubling about these kinds of attacks is not just the lack of technical know-how but what that lack of malware means from a security perspective. Callback phishing emails can bypass email filters because they don’t include malicious links or attachments with malware. In fact, they typically do contain links—valid ones. Click a URL, and the recipient will be directed to the actual company’s website. There’s nothing that would arouse suspicion from a technical perspective.
Instead, phishing attacks heavily focus on social engineering, the non-technical soft skill aspect of hacking, like convincing a user to install software on their computer. It’s more akin to how we would think of old scams. It’s just someone convincing a person to do something they’re not supposed to do to get financial gain or some other reward.
In some ways, the pivot to callback phishing results from email security tools getting too good. As those tools became better at catching and flagging the malicious attachments and links contained in traditional phishing attempts, those types of emails have been increasingly blocked before they reach the user. Callback phishing addresses this new cyber landscape. Because email filters generally won’t catch the phishing attempt, it is up to the user to be able to spot the warning signs.
A Callback Phishing Attack
The Conti ransomware gang shut down its operations in June 2022, but it didn’t entirely hang up its hat. Our technology partner, AdvIntel, confirmed that by August, the gang had splintered into smaller groups. At least three (Quantum, Silent Ransom, and Roy/Zeon) have been observed using BazarCall, also known as callback phishing. As far back as 2021, the Ryuk ransomware gang also used callback phishing in their ransomware operation. Ryuk was later rebranded as Conti—making it unsurprising that groups spawned from the ashes of the threat actor are using callback phishing now.
One of those smaller groups, Quantum, impersonates well-known brands, such as Gobble, Oracle, HelloFresh, Luchechko Mortgage Team, the US Equal Opportunity Employment Commission, and CrowdStrike. When they have impersonated these brands, they do so by sending an email encouraging recipients to call a number for further clarification.
CrowdStrike, a well-known cybersecurity company, was impersonated by Quantum in July 2022. The attackers sent a professional-looking email stating that a network compromise was identified during a routine audit and they needed to call a number to discuss the situation with CrowdStrike and provide additional information. Again, the email didn’t contain any malicious links, making it unlikely to be flagged by anti-phishing security solutions.
The attackers used social engineering to guide the employees into installing remote administration tools (RATs) that allowed Quantum to control their workstations. From there, the threat actors could remotely install additional tools that allowed them to move laterally through the network, deploy more ransomware, and steal data.
As a result of Quantum’s attack, CrowdStrike had to notify the public of the breach and the likelihood that the attack would lead to a ransomware attack. It was the first identified callback campaign impersonated a cybersecurity company at the time.
What Employers Should Know and Do
Because traditional anti-phishing software does not detect callback phishing emails, the onus is on organizations to work with their employees to protect themselves. Instructing people is not sufficient. Employers must train their staff to recognize this kind of activity. That shouldn’t be a one-time task but a periodic, ongoing activity designed to engrain these processes.
There are phishing training programs available that can generate fake and harmless callback phishing emails. Any users who take the bait will get enrolled in training.
Because hackers are trying to get people to install otherwise legitimate software, one preventative measure companies can take is to lock down permissions around installing new software. They should also consider putting in place good role-based access controls that limit an individual's access to only what they need to do their job. That limits the risk that a compromised user has access to the information the hacker is targeting.
The worst-case scenario would be a situation in which the user who was tricked has administrative access to the company because, at that point, the hacker is pretty much “in” and has access to the credentials needed to access more important systems and sensitive areas. The main end goals are ransomware, data exfiltration, and extortion.
Another tip-off that the email might be a callback phishing attempt: If a personal service (anything from a vacation rental company to a rideshare company) emails you at your work email purportedly about a personal purchase or something related to your personal account. That’s a big red flag.
Organizations and individuals should also do their homework—by inspecting the email sender and the callback number. One can click on the email sender’s email address and Google it to verify the sender is from the expected organization’s domain. Look for any misspellings or suspicious characters in the email address, which strongly indicate the sender is trying to spoof a company.
Employees can similarly verify the number, either by pasting it into a search engine or by separately looking up contact numbers on the organization’s official website.
Language can also be a giveaway. If the language is aggressive in trying to convince you to do something with urgency, that is a red flag. Cybercriminals tend to be very persistent in their phishing emails. Again, if they can’t convince you to call, that attempt is a dud, so they’ll often make it seem like a high-stress situation.
Ensure employees know there is zero shame in asking for help. If they follow the above steps and are still skeptical about the email, they should contact your IT team for advice. A false alarm is better than triggering a real one.