Using phishing emails, social engineering, and a network of fake contact centers, a cyber-extortion gang is fooling people out of hundreds of thousands of dollars by gaining remote access to their PCs, taking their data, and threatening to release it if a ransom isn’t paid.
Researchers in cybersecurity at Palo Alto Networks Unit 42 has analyzed the “callback phishing” attacks and found that the social engineering campaign is alarmingly effective, which is fueling the creation of the attack infrastructure as cybercriminals strive to make as much money as they can.
The assaults resemble earlier discovered operations that duped victims into installing backdoor malware called BazarLoader by sending them phishing emails with dangerous attachments. The software was used to gain access to the network, steal data, and extort the victim out of money to stop the material from being leaked.
However, this recently described effort called Luna Moth, which Unit 42 studied, avoids malware infection and instead uses social engineering to infiltrate networks. And it has succeeded, costing hundreds of thousands of dollars and claiming victims in a variety of industries, including legal and retail.
Attacks start with a phishing email sent to a corporate email account that has a PDF attachment that purports to be a credit card invoice. The PDF attachment is typically for a smaller amount, usually under $1,000, maybe because it might not raise as much suspicion or be reported to finance.
If there is a problem, the victim should call this number to inquire about or cancel the payment, according to the attachment’s unique ID and phone number. To avoid detection, the emails and their attachments’ text regularly changes.
When the victim dials the number, they are connected to a call center managed by individuals responsible for the extortion scam, and the operator may determine which organization has been targeted by asking for the ID number. The center then walks the victim through the procedures required to download and run remote access software under the premise of assisting the victim in canceling the fraudulent payment.
With this access, the attacker downloads and installs a remote administration application, which allows them to continue access to the machine while also discreetly searching for and stealing sensitive files and servers.
After the data has been taken, the attacker sends a second email seeking extortion money and threatening to reveal the data if it is not paid. Researchers claim that the attackers research the annual revenue of the victim to determine a charge. The demands are issued in Bitcoin and, depending on the organization, might reach hundreds of thousands of dollars.
A 25% “discount” on the extortion demand is offered to victims who pay up fast. If they don’t pay, the attackers threaten to call clients and customers to inform them of the data breach.
Of course, there is no assurance that the attackers will remove the stolen data even if the victim does pay.
The assailant might not have kept their promises even if you paid them. According to Kristopher Russo, a senior threat researcher at Palo Alto Networks Unit 42, at times they stopped replying after confirming they had been paid and did not adhere to established pledges to provide proof of deletion.
Between May and October of this year, researchers say they observed and responded to a number of these attacks, and they all seem to be connected to the Luna Moth criminal organization, which is “continuing to improve the efficiency of their attack” by shifting campaigns from targeting smaller and medium-sized firms to targeting larger companies.
Attacks are predicted to continue due to the low cost per target, minimal chance of detection, and quick monetization of these campaigns, especially since the use of social engineering techniques rather than malware makes it simpler to get past antivirus defenses.
The researchers advise firms to alert staff to be wary of unexpected messages that purport to be urgent, especially if they appear to be from an unknown sender. Additionally, they advise individuals to consult their own IT or information security team with any requests from outside sources to install remote software.
According to Russo, all organizations should think about enhancing cybersecurity awareness training programs with a specific focus on unexpected bills, requests to make phone calls, and requests to install the software.
