Cybersecurity company Proofpoint released a new report on Thursday highlighting an increase in call center-based cyberattacks, noting a variety of scams perpetrated by threat actors stealing almost $50,000 per attack in some instances.
Proofpoint researchers Selena Larson, Sam Scholten and Timothy Kromphardt said their company sees thousands of telephone-based cyberattacks each day, with most falling into two different categories. Some use fake call centers to steal a victim’s money and others use call centers to spread malware that can be used in other attacks.
“The attacks rely on victims to call the attackers directly and initiate the interaction. Email fraud supported by call center customer service agents is prolific and profitable. In many cases, victims lose tens of thousands of dollars stolen directly from their bank accounts,” the researcher’s wrote.
“One uses free, legitimate remote assistance software to steal money. The second leverages the use of malware disguised as a document to compromise a computer and can lead to follow-on malware. The second attack type is frequently associated with BazaLoader malware and is often referred to as BazaCall. Both attack types are what Proofpoint considers telephone-oriented attack delivery (TOAD).”
Proofpoint researchers tied the activity to people working in the Indian cities of Mumbai, Kolkata and New Delhi.
Cybercriminals use specific lures as a way to legitimize their scams, including presenting themselves as “Justin Bieber ticket sellers, computer security services, COVID-19 relief funds, or online retailers, promising refunds for mistaken purchases, software updates, or financial support.”
The attacks start when victims are sent an email with a phone number that will connect them to a “customer service” official who is actually a cybercriminal.
Other scams begin with fake emails for costly Amazon or PayPal invoices that urge the victim to contact the cyberattackers as a way to dispute the charge.
Once the scam call center is called, victims are walked through the process of downloading malicious files or tools like AnyDesk, Teamvier and Zoho that give cyberattackers remote access to a device. Some scammers even ask victims to simply enter their bank account information in order to get refunds, according to Proofpoint.
“In malware focused attacks like BazaCall, the invoice lures are often more elaborate, including themes such as Justin Bieber concerts, lingerie, and fake movie sites. The victim is directed to a malicious website where they are told to download a document to facilitate a refund, but instead are infected with malware,” the researchers explained.
“Once the attackers have obtained access to the device, they can access banking, email, and other private accounts or download follow-on malware including ransomware. By leveraging attack chains that require a lot of human interaction, threat actors can bypass some automated threat detection services that only flag on malicious links or attachments in email.”
As a way to learn adversary tactics, researchers with the cybersecurity company went along with one scammer as they walked them through the attack. Some of the attackers posed as ticket sellers for the upcoming 2022 Justin Bieber world tour and upcoming The Weeknd concerts.
The scammers even play Bieber’s music while victims wait to speak to a representative, according to Proofpoint. The cyberattacker asked a Proofpoint analyst to visit a malicious website as a way to dispute a charge related to the concerts. Once the malicious file is downloaded, the cyberattacker hung up the phone.
Unwanted scam calls have become a major issue for many Americans, some of whom get dozens of scam calls each week. The Proofpoint report cites a Truecaller report that found 60 million Americans lost $29.8 billion between 2020 and 2021 due to these calls.
Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told ZDNet that threat actors are getting creative with their lures, noting that fake receipts for Justin Bieber tickets or a firearm purchase are attention-grabbing enough to trick even the most vigilant email recipient.
“Should you respond in an attempt to dispute the charges, what follows is an elaborate infection chain that requires significant human interaction and takes victims down the rabbit hole of the worst possible fake customer service experience imaginable — one that ultimately steals your money or leaves behind a malware infection,” DeGrippo said.
“Most successful cyberattacks require some form of human interaction to succeed, like clicking on a malicious link or opening an attachment. But what’s really interesting about these emails is how high they raise the bar, requiring victims to be far more proactive by actually initiating a phone call with the threat actors. It’s a bold, yet ultimately profitable attack.”
Netenrich principal threat hunter John Bambenek said call center fraud is not new and has been used successfully in the past to try to lend credence to cybercriminal scams.
But he explained that this specific technique doesn’t scale and said it’s “not uncommon for defenders to call these numbers to tie up the time of the attackers.”