To Deliver Malware, Attackers Use the Phone
Summary:
There has been a recent increase in actors employing callback phishing to infect unsuspecting victims with malware. Callback phishing, otherwise known as telephone-oriented attack delivery (TOAD), is a hybrid phishing model (a combination of voice and phishing) that aims to take advantage of the trust people often assign to strangers who assume authority over the phone. “Although employees are usually trained to recognize and report email phishing attempts, they often are unfamiliar with this hybrid phishing model, leaving both the individual and organization vulnerable,” note researchers at Intel471.
These attacks typically initiate with a phishing email that is sent to the victim, pretending to be from a legitimate company. Oftentimes, the emails pertain to an invoice for a service or good that the victim has never purchased (e.g. Norton). In the event that the victim responds to the email, the actor will try to gather the victim’s information, including personal details, login credentials or other sensitive data. Once these details are collected, the attacker will proceed to make a phone call to further manipulate the victim into extracting additional sensitive information and installing remote access malware or legitimate remote control software. From here the actor is able to gain access to the victim’s network and deploy various payloads including ransomware.
Security Officer Comments:
According to Proofpoint’s 2024 State of the Phish report, 67% of businesses were affected globally by a TOAD attack in 2023, with up to 10 million TOAD attacks being launched every month. Researchers at Intel 471 note that “the most effective way to incorporate TOAD TTPs is by enlisting the services of a call center that can cover a broad number of languages and are available on demand.” Between January and August 2024, more than 60 actors were observed providing underground call services, with 40 actors offering these call fraud services in 2023 and 23 actors observed to date so far in 2024. Actors generally seek these callers for a variety of schemes, including mule projects, malware delivery and other social-engineering tasks, as well as recruiting new specialists to underground call centers. Ransomware gangs in particular have seeked out such services to help in their operations whether that is in the initial access access phase via advanced social engineering and diverse phishing campaigns or during the ransom negotiation phase, where these callers will aid in securing a payment from victims.
Suggested Corrections:
Harden
Detect
https://intel471.com/blog/to-deliver-malware-attackers-use-the-phone
There has been a recent increase in actors employing callback phishing to infect unsuspecting victims with malware. Callback phishing, otherwise known as telephone-oriented attack delivery (TOAD), is a hybrid phishing model (a combination of voice and phishing) that aims to take advantage of the trust people often assign to strangers who assume authority over the phone. “Although employees are usually trained to recognize and report email phishing attempts, they often are unfamiliar with this hybrid phishing model, leaving both the individual and organization vulnerable,” note researchers at Intel471.
These attacks typically initiate with a phishing email that is sent to the victim, pretending to be from a legitimate company. Oftentimes, the emails pertain to an invoice for a service or good that the victim has never purchased (e.g. Norton). In the event that the victim responds to the email, the actor will try to gather the victim’s information, including personal details, login credentials or other sensitive data. Once these details are collected, the attacker will proceed to make a phone call to further manipulate the victim into extracting additional sensitive information and installing remote access malware or legitimate remote control software. From here the actor is able to gain access to the victim’s network and deploy various payloads including ransomware.
Security Officer Comments:
According to Proofpoint’s 2024 State of the Phish report, 67% of businesses were affected globally by a TOAD attack in 2023, with up to 10 million TOAD attacks being launched every month. Researchers at Intel 471 note that “the most effective way to incorporate TOAD TTPs is by enlisting the services of a call center that can cover a broad number of languages and are available on demand.” Between January and August 2024, more than 60 actors were observed providing underground call services, with 40 actors offering these call fraud services in 2023 and 23 actors observed to date so far in 2024. Actors generally seek these callers for a variety of schemes, including mule projects, malware delivery and other social-engineering tasks, as well as recruiting new specialists to underground call centers. Ransomware gangs in particular have seeked out such services to help in their operations whether that is in the initial access access phase via advanced social engineering and diverse phishing campaigns or during the ransom negotiation phase, where these callers will aid in securing a payment from victims.
Suggested Corrections:
Harden
- Message authentication: Authenticate message senders to prevent fraudulent financial transactions, phishing attempts and other social-engineering attacks.
- User training: Train users to identify TOAD social-engineering techniques and common phishing lures, including fake invoices and technology support messages.
- Software configuration: Use anti-spoofing and email authentication mechanisms including sender policy framework (SPF), DomainKeys Identified Mail (DKIM) and domain-based message authentication, reporting and conformance (DMARC).
Detect
- Sender mail transfer agents (MTA) reputation analysis: Characterize the reputation of MTAs to determine the security risk in emails. Construct a trust rating determined by the length of time the sender has interacted with the enterprise and number of emails received and replied to.
- Sender reputation analysis: Analyze sender reputation based on information associated with a message including length of time the sender has sent emails to the enterprise and number of emails received from the sender.
- Network intrusion prevention: Enable network intrusion prevention systems and systems that scan and remove malicious email attachments or links.
https://intel471.com/blog/to-deliver-malware-attackers-use-the-phone