Callback phishing attacks use Google Groups to get login information

Phishing attacks are fraudulent techniques in which attackers imitate legitimate institutions to lure people into disclosing "sensitive information."

These assaults frequently occur by email, employing urgent wording to entice victims to click on "malicious links" or "download harmful attachments."

Trustwave cybersecurity analysts have cautioned about Callback Phishing attempts that target Google groups to collect login information.

Callback Phishing Attacks.
Trustwave SpiderLabs reported a "140%" increase in "callback phishing attacks" (also known as "Telephone-Oriented Attack Delivery" or "TOAD") between July and September.

They discovered that the attacks stemmed from their earlier finding of a "fake order spam scheme" on Google Groups.

This sophisticated "hybrid cyberattack" combines "traditional email phishing" with "social engineering" via "phone calls," in which threat actors use a variety of "TTPs."

The attack starts with "phishing emails containing text obfuscation" ('using base64 encoding' and 'invisible characters'), "image-based spam" ('.gif files'), or "document-based lures" ('PDF,' '.txt,' '.doc' formats) that impersonate reputable brands.

These emails push recipients to call specified phone numbers concerning "fake invoices" or "account terminations," and they frequently bypass "text-based spam filters."

The attack then decides on three main vectors:

• Vishing (voice phishing) is used to collect personally identifiable information and banking passwords.
• Malware deployment (for example, "BazarCall" distributing "BazarLoader malware").
• Remote access exploitation ("Luna Moth campaigns").

The scheme's effectiveness originates from its "dual-channel approach," which enables "real-time social manipulation" via "phone calls," "delayed detection due to minimal digital footprints," and "integration with legitimate services like Calendly for scheduling fraudulent support calls." These things make it particular.

Financial systems are witnessing sophisticated cybersecurity breaches, with attackers exploiting legitimate services such as "PayPal," "Xero," "QuickBooks," and "HoneyBook" through "callback phishing."

These attacks use legitimate email authentication techniques such as "DKIM" ('DomainKeys Identified Mail') signatures and "platform-specific header stamps" to circumvent security protections.

The attackers send bogus payment requests and invoices to "dummy email addresses" before "forwarding them to actual victims," bypassing "email authentication checks."

The infected emails use valid "From" addresses, "authentic platform links," and "genuine website redirects," making them very deceiving.

However, the defining red flags are "suspicious payment notes," "mismatched "To" addresses using newly registered domains," and "fraudulent customer service phone numbers."

This attack vector is especially effective because it combines "social engineering" with "technical legitimacy." The emails pass through "security filters" because they come from trusted financial platforms, but they use urgency triggers like "overdue payments" or "account anomalies" to trick victims into calling fake support numbers.

The technique exemplifies a sophisticated version of "TOAD" in which attackers take advantage of the inherent confidence in the architecture of established banking platforms while retaining the human manipulation portion of typical phishing tactics.

Recommendations
We have listed all of the recommendations below:

• Be cautious of unsolicited emails.
• Use official contact information rather than phone numbers offered in emails.
• Do not reveal personal information during phone calls.
• Monitor bank accounts and report any abnormalities.
• Stay up to current on phishing and provide personnel training.

Source: Cyber Security News