Hackers are using phone calls to attack employee systems with malware.
Callback phishing has becoming increasingly popular among hackers. One popular variant of this attack, known as telephone-oriented attack delivery (TOAD), begins with a phishing email that appears to come from a credible organization. The email instructs the receiver to call the number listed in the email.
The phone contact is handled by a trained social engineer who dupes the victim into installing remote access malware or legitimate remote control software, which attackers use to acquire network access and distribute ransomware.
Ransomware operators are constantly upgrading their strategies, including identifying affiliates who best fit into their operational routines.
There are several underground recruitment campaigns for TOAD professionals, who are regarded as critical components of a successful ransomware threat organization.
Expert callers serve as an alternative to initial access brokers (IABs) in gaining system access and assisting in the collection of a ransom from the victim.
According to Proofpoint's 2024 State of the Phish report, "upward of 10 million TOAD attacks are made every month, and 67% of businesses globally were affected by a TOAD attack in 2023".
Increase in phishing-related attacks
From late 2020 to early 2021, TOAD tactics played a significant role in the underground threat scene, commencing with the BazarCall, also known as BazaCall, campaigns that spread the malware BazarLoader.
Because of the high success rate of these efforts, other parties, including ransomware gangs and mobile malware operators, have utilized similar tactics to steal funds and sensitive data.
According to the Intel471 blog, analysts have spotted additional callback phishing efforts. These include malware distribution tactics using BokBot, also known as IcedID and IceID, as well as campaigns based on the MasterClass online learning or Standard Notes themes.
It has been discovered that approximately 60 actors perform underground call services between January 2023 and August 2024. Between January and August 2024, there were 23 offers, compared to 40 offers in 2023. The market has become increasingly dense, as shown by the increasing aggregation of numerous services.
Vishing-related attacks have escalated since the second half of 2022, most likely due to a number of actors and threat groups attempting to expand their operations using TOAD tactics.
Researchers spotted ransomware gangs hunting for callers for ransomware-related assaults in the first quarter of 2024. In July 2024, a relatively new XSS forum participant was asking for English-speaking callers to carry out TOAD operations against US and Canadian organizations.
The callers allegedly provided open-source information (OSINT) and phone support to an unidentified ransomware gang.
Clownfish voice-changing software, access to MicroSIP and Narayana software-based voice over IP (VoIP) services, an OpenVPN-based VPN client, and a "Fake Caller ID" spoofing service were among the purportedly all-inclusive tools provided to callers.
The M00N email spamming and phishing service offered numerous options for sending phishing emails. The QuattrO aka CallMix, Procallmix underground call service was first made available in May 2019 by a long-time member of the Verified cybercrime community, actor Audi alias Cartman, cartman, procallmix.
The service covers typical types of fraudulent calls, such as those to banks, delivery agencies, and online shops, as well as more complex issues including making purchases over the phone and requesting that a product be shipped to a new address.
Recommendations
- Employees must recognize, eliminate, and report any phishing attempts that include strange requests or grammatical errors.
- Sensitive information should never be shared over the phone, especially in response to an email that only includes one phone number.
- Use anti-spoofing and email authentication technologies like SPF, DKIM, and DMARC.
- Strengthen message authentication and train users to spot TOAD social engineering techniques.
Source: Cybersecurity News