Proofpoint has seen an increase in attacks that take advantage of a sophisticated ecosystem of call center-based email threats. […]
In contrast to classic telephone fraud, in which perpetrators usually call their victims directly, cybercriminals rely on the potential victims to pick up the phone themselves and thus initiate the interaction. In this way, alleged security is created for the victims, as they themselves become active. But the damage can also be immense for private individuals. Email fraud, which is supported by call centers, is not a completely new phenomenon, but the perpetrators are now becoming more and more professional. In many cases, victims lose tens of thousands of euros that are stolen directly from their bank accounts. In the attacks, the perpetrators are mainly concentrated in Germany, the United States, Australia and India.
Two types of threats
In general, there are two types of call center threats that Proofpoint regularly monitors: one is using free, legitimate remote maintenance software to steal money. On the other hand, malware disguised as a document is spread to compromise a computer. In the latter case, it can also lead to secondary infections if further malware is reloaded. In this second type of attack, the BazaLoader malware is regularly used, which is why this procedure is also referred to as BazaCall. Proofpoint combines both types of attack under the abbreviation TOAD (for Telephone-oriented Attack Delivery).
In the recently observed attacks, the victims receive e–mails in which the attackers pose as representatives of organizations – for example, ticket dealers for Justin Bieber concerts, cybersecurity companies, corona relief funds or online retailers – and promise refunds for erroneous purchases, software updates or financial assistance. The e-mails contain a telephone number of the supposed customer service. As soon as the victims call this number, they will be connected directly to one of the fraudulent call center employees and the attack will begin.
Although it is a challenge to assign the TOAD activities to specific groups, Proofpoint was able to identify several activity clusters in India. Most of the activities in this context take place in three cities: Kolkata, Mumbai and New Delhi. Proofpoint was also able to identify several physical locations of perpetrators based on the perpetrators’ interactions with the security experts as well as publicly available information shared in fraud forums and on YouTube.
“Cybercriminals are getting very creative with their baits. A fake receipt for Justin Bieber tickets or the purchase of a firearm usually attracts enough attention to deceive even the most vigilant email recipient. Should the recipient react to this and try to challenge the alleged costs, a sophisticated chain of infection follows, which requires considerable human interaction. The victims can have the worst experience with a fake customer service that can only be imagined and which ultimately leads to the theft of money or a malware infection,“ says Sherrod DeGrippo, VP, Threat Research and Detection at Proofpoint.