One cyber insurance specialist is warning brokers and clients of a ransomware attack method that subverts common cybersecurity controls by tricking victims into phoning a call centre – rather than clicking a link – and instructing them to download malicious software to infect their own computers.
“Making the victim do all the heavy lifting is a notable shift from the more traditional hacking attack vectors,” Tom Bennett, cyber threat analysis team leader with CFC Underwriting, said in a press release earlier this month. “Unfortunately, most workplace education around phishing emails doesn’t warn about this type of social engineering, so it represents a significant new threat.”
Dubbed ‘BazarCall,’ the scam targets small businesses by convincing victims through “good impersonations of legitimate companies” to visit a phishing site, phone a call centre and download a Microsoft Excel file to infect the victim’s network. For example, the phishing email may tell the victim a subscription has been renewed as requested and to call a phone number to cancel within 14 days if they don’t want to renew.
Once a victim visits the website, the cybercriminal tells them to download an Excel file and read out an invoice number to cancel the subscription. But once in Excel, it will say something along the lines of, ‘To view this properly, you must enable macros.’
“That’s the point when your computer is compromised,” Bennett said in an interview with Canadian Underwriter Wednesday. “And because all of the downloading of that and initiating of the macros has been done by the user, it bypasses all sorts of security controls.
“Historically, you’d be able to rely on email filters scanning attachments to see if they have malware embedded into the attachment,” Bennett said. “But because there is no attachment, you’ve downloaded it separately though your web browser, that whole step around your email security is rendered useless.”
While companies often have policies around stripping out macros from email, Bennett noted that for this scam it’s not from an email.
“So again, it gets past some of the modern defences where companies are getting wise to how ransom attacks have been delivered,” he said.
Once a computer’s been infected, the cybercriminal is entrenched in the network and can come back at a later date to conduct a ransomware attack.
Adding to the complexity of the attack is that “phone numbers are recycled very rapidly so that if someone spots this and reports it to a telecoms company and says, ‘You need to block this phone number and shut it down,’ it doesn’t matter,” Bennett added. “They have a new one four hours later.”
Some of the very first attacks occurred in Canada and the campaign has increased more than tenfold in the first half of 2022, Bennett reported. “It’s gone from one or two unique experimental infections at the end of 2021 to now being actually quite routine. The scale of the email campaigns is in the hundreds of thousands of emails being sent every day to companies around the world.”
BazarCall already accounts for nearly 10% of all malware incidents CFC has detected across its own portfolio over the last three months. However, CFC has not seen any cyber claims as it has been able to proactively disrupt attacks at scale and remove malware if it’s infected a computer.
“We can see every stage of the campaign,” Bennett said. “So, we can see which people receive the phishing emails and we can warn them about that. We can see which customers have actually rung the phone number.
“And we can see which ones have not just rung the phone number, but they’ve gone through the social engineering and they’ve fallen for it; they’ve installed the malware and become infected,” he said. “We know exactly where to go and clean up.”
Over the last couple of weeks, CFC has seen another ransomware group use the same methodology to install a different malware. In this case, the “telephone-oriented attack delivery group” is installing malware not for ransomware but for business email compromise to gain access to mailboxes to carry out wire transfer frauds.
“We’ve only seen one customer infected in this way so far and we were able to stop that,” Bennett said. “It’s only small levels of activity but the fact that there’s new groups copying the methodology I think is a sign that this won’t go away,” he said.