Cybercriminals are impersonating cybersecurity firms in phishing emails where employees are instructed to call an enclosed phone number to perform a security check.
The latest ‘callback phishing’ attack appears to be from security vendor Crowdstrike, and directs employees to call what is supposedly a helpline.
Naturally, it’s not – and victims are instructed to install software which is a RAT (remote access tool) granting attackers full control over their machines.
A different angle
Such attacks can be highly effective, simply because most people are more aware of standard link-based phishing attacks, says Stratia Cyber’s founding director Paul Maxwell.
‘The bulk of awareness in the marketplace is around, “Do not click on a link,” says Paul. ‘So in this case the attack is highly effective as it is leveraging the trust that people will have for cybersecurity firms that may be working as a trusted partner.’
Psychologically, such messages work because they trigger the reader to think that if they don’t do something quickly, something bad will happen, Paul says.
‘Much like standard phishing, the message is crafted to stimulate a reaction in the reader,’ says Paul. ‘Another aspect of its effectiveness is that the person has a choice to make as to whether to make the call.’
Such ‘callback phishing’ campaigns have become more popular in the past year, Bleeping Computer reports, with campaigns that invite users to call a number to resolve a problem or cancel a supposedly pending subscription renewal.
In previous callback attacks, criminals have impersonated companies such as broadband providers, Paul says.
He says, ‘Callback attacks have been going on for many years under different guises. The fact that they are still being used by criminals is testament to their effectiveness. This is just another variation on the theme.’
Crowdstrike claims that the callback phishing campaign using its name is particularly dangerous because it’s the first known campaign impersonating a cybersecurity firm.
How to spot a callback phishing scam
But there are reliable indicators which should alert users to the fact an email is a callback phishing scam, says Paul.
Emails with urgent calls to action – for example, ‘Your system or organisation has been breached so please call this number for assistance,’ are suspicious, as are claims that, ‘Your IT department has already been informed.’
If it’s not the normal way in which your IT department contacts you, you should instantly be on your guard. If it’s a scam, the attacker will always try to convince you to install software on your system or visit an external website, Paul says.
As with most phishing attacks, there are also other warning signs including poor spelling and suspicious-looking source email addresses.
How can organisations stay safe?
The best approach to such attacks is to address both the human and the technical factors, Paul says.
Key steps to take include:
- Security awareness training – make them aware of the type of attack, reinforce that only software approved by the company is to be installed
- Implement technical controls on devices to prevent the download of unapproved software
- Email security technologies that implement email authentication so any spoof emails are rejected
- System logging and monitoring to identify installation of remote access tooling
If you’d like to feature in a future blog post, or want to get in touch with one of our experts, contact us on cyber@stratiacyber.com.