Phishing emails containing messages about fictitious subscriptions and phone numbers to dial to “unsubscribe” from costly providers are sent by fraudsters. The victims are then directed to a website where they are forced to download a malicious Excel file.
Call center for hackers
Since the beginning of February 2021, a cyber entity known as BazarCall or BazaCall has been spreading malicious malware code-named BazarCall or BazaCall, whose operators use a call center as one of the attack’s components.
The assault starts with a phishing note, but it’s not the typical phishing email. It claims that the user supposedly signed up for a free trial period for some sort of service, that the trial period has ended, but that if you do not call this phone number, the subscription will be automatically extended. There are no specifics on what this program entails, although it is stated that a total of $ 69.99-89.99 would be deducted from a possible victim’s budget, which is usually very sensitive for someone with an ordinary salary.
The majority of these communications seem to be from a medical firm (Medical Reminder Service, Inc. or iMed Services, Inc.), as well as Blue Cart Services, Inc., iMers, Inc., and other similar firms.
If a possible victim calls the suggested phone number, he will be greeted by someone who will ask for more details, including the letter’s unique identifier. The perpetrators seem to be trying to make sure they’re referring to the right people.
If the identifier is false, the victim is forwarded to an attacker-controlled website, which has a field with a “unsubscribe” prompt. If the victim types the right identifier and presses the Submit button, they will be asked to download the Excel file, with the remaining call center operator doing everything possible to keep the victim from hanging up, opening the file, and triggering (Enable Content) macros.
In certain situations, the call-center supervisor also firmly advises temporarily removing antivirus software to ensure that the contamination has not happened.
Ransomware and Trojans
BazarCall got its original name from the fact that it was first used to spread the BazarLoader malware, a downloader Trojan that allowed Ryuk or Conti ransomware victims’ computers to be infected. TrickBot, IcedID, GoziIFSB, and other malware programs are now distributed through BazarCall, which are then downloaded or accessed by ransomware such as the late Maze and Egregor.
As a result of the proactive efforts of cybersecurity professionals, attackers are forced to change the phone numbers of call centers and hosting providers on a regular basis. However, it appears that the phishing call technique is still very successful, with a depressingly low number of detections.
“Working with a phishing call center is much more efficient than phishing emails, just as casual communication is much more effective than correspondence,” says Mikhail Zaitsev, an information security specialist with SEC Consult Services. – On the other side of the wire, there are usually individuals who are well-versed in psychology who can successfully trick their interlocutors into doing any of the acts they need. And, even though only one or two groups are doing it now, this type of attack will become very common in the future.”