Blog

A cyber-extortion gang is using phishing emails, social engineering, and a network of phony call centers to scam victims out of hundreds of thousands of dollars. Enhance your cyber security asap.

These cyber criminals are tricking victims into allowing them remote access into their PC, then they steal data and threaten to leak it if a ransom isn’t paid. 

According to analysis of the ‘callback phishing’ attacks by cybersecurity researchers at Palo Alto Networks Unit 42, this social-engineering campaign is worryingly successful.

This is leading to a growth in the infrastructure behind attacks, as cyber criminals try to make as much money as possible.

The attacks are similar to previously identified campaigns that used phishing emails containing malicious documents to trick victims into installing backdoor malware.

The malware was used to access the network, steal data and blackmail the victim into paying an extortion fee to prevent the data being leaked. 

This newly detailed campaign investigated by Unit 42, called Luna Moth, skips the malware infection, instead it uses social engineering to gain access to networks.

The campaign has proved successful, claiming victims in multiple sectors including legal and retail, and costing some hundreds of thousands of dollars. 

Attacks begin with a phishing email to a corporate email address with a PDF attachment claiming to be a credit card invoice, usually for an amount under $1,000, perhaps because a lower figure might be less likely to arouse suspicion or get reported to finance. 

This attachment contains a unique ID and phone number with the suggestion that, if there’s a problem, the victim should call it to query or cancel the payment.

The wording of the emails and attachment frequently changes to help bypass detection. 

If the victim calls the number, they’re connected to a call center that is run by those behind the extortion scam and the operator can identify which company has been targeted by asking for the ID number.

Then, under the false guise of helping the victim cancel the phony payment, the centre guides the victim through steps required to download and run remote access software. 

With this access, the attacker downloads and installs a remote administration tool, which allows them to maintain access to the machine and secretly enables them to look for and steal, sensitive files and servers. 

After the data is stolen, the attacker sends another email, demanding an extortion payment with a threat to release the information if it isn’t paid.

The demands are made in Bitcoin and can amount to hundreds of thousands of dollars, depending on the organization.

If the victims pay up quickly, they get a 25% ‘discount’ on the extortion demand. If they refuse to pay, the attackers threaten to phone customers and clients to tell them about the data breach. 

Of course, even if the victim does pay, there’s no guarantee that the attackers will delete the stolen data.

“Paying the attacker did not guarantee they would follow through with their promises. At times they stopped responding after confirming they had received payment, and did not follow through with negotiated commitments to provide proof of deletion,” said Kristopher Russo, senior threat researcher at Palo Alto Networks Unit 42.

Researchers say they observed and responded to a number of these attacks between May and October this year and they all appear to be linked to the Luna Moth crime group.

The malicious group is continuing to improve the efficiency of their attacks, with campaigns shifting from targeting smaller and medium-sized firms to targeting larger companies. 

It’s expected that the low per-target cost, low risk of detection and fast monetization of these campaigns means attacks will continue.

Particularly because the reliance on social engineering techniques instead of malware means it’s easier to bypass antivirus protections. 

The researchers recommend that organizations should warn employees to be cautious about unexpected messages claiming a sense of urgency, particularly if they appear to come from an unknown sender.

They also say that people should ask their own information security or IT team about any requests from external sources to install remote software. 

“All organizations should consider strengthening cybersecurity awareness training programs with a particular focus on unexpected invoices, as well as requests to establish a phone call or to install software,” said Russo. 

There are fundamental aspects of cyber security, that managed technology solutions providers serving small-to-medium businesses need to understand and implement.