Hackers impersonate cybersecurity companies, such as CrowdStrike, in callback phishing emails to gain access to corporate networks.
Most phishing campaigns incorporate links to landing pages that steal login credentials or emails that include malicious attachments to install malware.
However, over the past year, threat actors have increasingly used phishing "callback" campaigns impersonating well-known companies that ask you to call a number to resolve a problem, cancel a subscription renewal or discuss another issue.
When the target dials the numbers, threat actors use social engineering to convince users to install remote access software on their devices, providing access to corporate networks. This access is then used to breach the entire domain of the Windows.
In a new callback phishing campaign, hackers are impersonating the CrowdStrike to warn recipients that network intruders have compromised their workstations and that an in-depth security audit is required.
Hackers impersonate cybersecurity companies in phishing callback emails
These callback phishing campaigns focus on social engineering, explaining in detail why they should be given access to a recipient's device, as shown in the email snippet below.
"During the daily network audit we detected abnormal activity associated with the network segment to which your workstation belongs. We identified the specific domain administrator who was managing the network and suspect a potential breach that may affect all workstations on that network. Therefore, we are conducting a detailed audit of all workstations.
We have already contacted your information security department directly, however, to address a potential site workstation breach, we have been referred to the individual operators of that workstation, i.e. the employees."
Finally, the phishing email asks employees to call them on an unlisted phone number to schedule a security check of their workstations.
If called upon, the hackers will guide the employee in installing remote administration tools (RATs) that allow threat actors to gain full control of the workstation.
These threat actors can now remotely install additional tools that allow them to spread laterally across the network, steal corporate data and potentially develop ransomware for device encryption.
In a report of CrowdStrike, the company believes that this campaign will likely lead to a ransomware attack, as seen with previous phishing callback campaigns.
"This is the first recognized callback campaign that impersonates cybersecurity entities and has a higher probability of success given the urgent nature of cyber breaches," CrowdStrike warns.
CrowdStrike notes that in March 2022, its analysts identified a similar campaign in which threat actors used the AteraRMM to install the Cobalt Strike and then move laterally across the victim's network before infecting it with malware.
Phishing callback campaigns became common in 2021 with the launch of phishing campaigns BazarCall used by the gang ransomware Conti to gain initial access to corporate networks.
Hackers impersonate cybersecurity companies in phishing callback emails
Since then, phishing callback campaigns have used various lures, including anti-virus subscriptions and online course support and updates.
Ο Vitaly Kremets of AdvIntel told BleepingComputer that the campaign seen on CrowdStrike is believed to be run by the gang Quantum ransomware, which has launched its own BazarCall-type campaign.
"Η AdvIntel discovered on June 21, 2022, that Quantum was preparing a new IOC based on a threat actor playing either a professionalMandiant either of CrowdStrike, in an attempt to persuade a victim to allow the threat actor to 'review' the victim's machine." Here is a report from the company's solution Andariel Threat Prevention shared on BleepingComputer.
The Quantum is one of the fastest growing ransomware functions targeting businesses right now, recently attributed to an attack on PFC affecting more than 650 healthcare organisations.
Security analysts also confirmed that several former members of the Conti have gone to Quantum after the termination of the previous operation due to increased scrutiny by investigators and law enforcement authorities. While it would have been difficult for such phishing emails to achieve mass success in the past, in the current situation with many employees working remotely.
