FBI calls out callback phishers

In a November private-industry advisory, the FBI noted a “trend” of callback phishing, a social engineering attack that involves interaction between the threat actor and the target. The phish, which ultimately convinces a victim to call back and download malware or offer up remote access, is especially difficult to defend against, because the tactic uses legitimate IT tools.

The FBI summarized the phishy extortion of the Silent Ransom Group, aka Luna Moth.

• Once the victims responded to SRG’s phony charges and called the phone number it provided, the group sent a follow-up email directing them to download a “legitimate system-management tool,” which was then used to install other credible management tools that could be “repurposed for malicious activity.”
• “The actors then compromised local files and the network shared drives, exfiltrated victim data, and extorted the companies,” the advisory read.

While the agency did not give specifics about the system-management tools SRG deployed, cybersecurity company Palo Alto Networks used a threat-research post in November 2022 to show how the group tricked users into downloading remote-support tool Zoho Assist.

“Once the victim connected to the session, the attacker took control of their keyboard and mouse, enabled clipboard access, and blanked out the screen to hide their actions,” Kristopher Russo, senior threat researcher at Palo Alto Networks’ Unit 42, wrote at the time.

Next, Russo’s report said, attackers deployed exfiltration tools.

Such tactics complicate a traditional awareness training practice of verifying a sender’s authenticity, especially when a typical tactic, according to the Palo Alto post, routes a call recipient to a threat-actor-controlled call center and connects the person to a live agent.

“Since there are very few early indicators that a victim is under attack, employee cybersecurity awareness training is the first line of defense,” Russo wrote.

In an email from Russo shared with us by Kelly Kane, head of threat communications at Palo Alto, the cybersecurity pro recommended mitigation strategies including outlining actions employees should never take, like calling a number from an unsolicited email, as well as things they should do, like immediately contacting IT if they receive a suspicious text or email. “Train employees about cybersecurity best practices including things like the risks of installing unsupported software or allowing a third party to connect to a corporate computer,” Russo wrote.

The FBI also listed best practices to address the trend of callback phishing, including implementing time-based access control for admins.

In his previous role as a security practitioner, Drew Rose, now chief strategy officer at the risk-management platform Living Security, said he’d tell someone who received a suspicious email from, say, Mastercard asking for sensitive data, to call the company directly.

“What’s interesting about callback phishing is they’re pre-empting you. They’re like, ‘Yeah, don’t just trust this email, call us,’” Rose said. He recommends hypertextual security awareness training that calls back to a specific person’s life.

“You have to have an ongoing awareness program that ties back to how a threat would impact their life, whether at home, or at work; it needs to be very specific,” Rose told IT Brew.