After a split from the Conti cybercrime cartel, three autonomous threat groups have created Bazarcall – a call-back phishing tactic as the initial vector to breach and access targeted networks. Read on to know more and the steps you can take to prevent such attacks.
Most cybersecurity threats are based on automated, drive-by tactics (like compromising legitimate websites or exploiting system vulnerabilities) or advanced detection evasion methods. However, attackers continue to succeed in human interaction and social engineering attacks.
The BazarCall leaders knew that the repetitiveness of attack patterns was the reason for the downfall of older ransomware groups, leading them to plan and execute the Conti spin-offs.
The call-back phishing experts created “Silent Ransom” after splitting from Conti in March 2022. After becoming an autonomous group, they operated for a few months, and their tactics were successful. They realized they could avoid the dying Conti’s poor branding, sanctions, and regulations.
Other Conti Spin-offs
After the success of Silent Ransom with its highly targeted phishing operations, two other Conti spin-offs came, namely Roy/Zeon and Quantum. They gave a personal spin to the same approach in mid-June 2022.
Roy/Zeon was the most skilled social engineer of the three groups, having many adjustable and interchangeable indicators of compromise. Additionally, it selected its impersonation schemes based on its target.
Quantum was implicated in May 2022’s massive ransomware attacks that hit the Costa Rican government networks. Its members were responsible for creating Ryuk and showed a highly selective targeting approach that favored organizations with high average revenue.
How Does the Bazarcall Methodology Work?
The Bazarcall methodology is unique because it forgoes malicious attachments and links in emails with phone numbers. The recipients get tricked into calling the phone numbers because they get alerted of an upcoming transaction on their credit card.
Suppose the user falls for the scheme and calls the phone number mentioned in the email. In that case, a person from a fake call center set up by the BazarCall’s operators convinces them to grant the executive remote desktop control to help cancel the phony subscription.
Image sourced from microage.com
After getting the desktop access, the attacker stealthily takes steps and infiltrates the user’s network to establish persistence for follow-on activities like data exfiltration.
Why is There a Rise in Callback Phishing Attacks?
Callback phishing is the tactic that resulted in a widespread shift in the ransomware deployment approach. The reason why the approach is unique and effective is that
Instead of automated botnet infections, the attackers employ a targeted selective approach to select the victim or victim industry before the attack campaign begins.
- The cybercriminals tailor a sophisticated phishing campaign for a specific industry/victim instead of generic Emotet-style spam.
- They conceptualize frameworks with maximum risk for the targeted victim instead of chaotic extortion strategies.
- Attackers constantly change the campaign’s content and do not follow the same methodology every time.
- In such attacks, there is a greater focus on data exfiltration than data encryption.
How to Protect Against Such Attacks?
BazarCall’s emails lack the typical malicious elements, and their operators can conduct attacks at breakneck speeds. Thus, such attacks exemplify the increasingly elusive and complex threats that organizations face today. Following are the steps individuals/organizations can take to protect themselves:
1. Be Vigilant: One should always check the email subject, sender, and body to find anything suspicious before opening or downloading email attachments. Users must be vigilant about unsolicited emails coming from unknown senders. Given below are some sample subject lines. They have a unique “account number” that the attackers create to identify the recipients:
- Soon you will move to the Premium membership because the demo period is ending. Personal ID: KT[unique ID number]
- Renew your automated premium membership soon GW[unique ID number]
- Your demo stage is ending. Your user account number is VC[unique ID number]. Are you all set to continue?
- Notifying you of an abandoned road accident site! Must contact a manager! [body of the email contains unique ID number]
- Thank you for deciding to become a prestigious member of ABCFitness. Becoming a member was never simpler before [body of the email contains a unique ID number]
- Your subscription will be upgraded to the gold membership, ending the trial. Order: KT[unique ID number]
- Your free period is over. Your account number VC[unique ID number]. Are you ready to move forward?
- Thank you for buying the WinRAR pro plan. Your order number is WR[unique ID number]
- Thank you for choosing WinRAR. Check out the information your license information [body of the email contains a unique ID number]
2. Use cross-domain visibility and threat intelligence: Enterprises must choose solutions with coordinated defense and cross-domain visibility to protect customers against such threats. The solutions must have the ability to correlate events across emails and endpoints. It is crucial to protect against threats like BazarCall, given its distinct characteristics.
3. Rich Investigation Tools: Enterprises must deploy investigation tools like advanced hunting that allow the security teams to locate similar or related activities and resolve them seamlessly.
4. Users must check the attachment’s file extension and ensure it is in the intended file format.
5. Users must only activate macro for the attached Microsoft Office files if necessary. They must be extremely vigilant of emails requesting macro activation using the opened file’s body image or those that don’t display anything.
6. Users must look out for spoofed domains embedded in emails before opening them. It is prudent to quickly search the website or company used in emails to check for legitimacy.
After its resurgence in March, call-back phishing campaigns have impacted the current cyber threat landscape and forced the attackers to update their attack methodologies to stay on top of the ransomware food chain.
As cyber criminals realize the potential of weaponized social engineering tactics, it is expected such phishing operations will continue to become more detailed, elaborate, and difficult to distinguish from legitimate communications. The need of the hour is to stay vigilant and adopt adequate phishing protection measures to thwart such threats.