Scammers are increasingly leveraging call centers to carry out cyberattacks and infect their victims with malware after first roping them in by using PayPal invoices and even tickets to Justin Bieber’s upcoming 2022 world tour as lures, experts have warned.
According to a new report from Proofpoint, the firm’s security researchers have observed an increase in attacks that rely on victims to call scammers directly and initiate the interaction after receiving an email with their phone number.
However, there are two types of these attacks, with one using free remote assistance software to steal money while the other, which is frequently associated with BazaCall, uses the BazaLoader malware disguised as a document to compromise a victim’s computer and gain access to their online accounts.
In recent attacks, threat actors have begun emailing victims claiming to be representatives from Justin Bieber ticket sellers, computer security services, Covid-19 relief funds or online retailers with the promise of refunds for mistaken purchases, software updates or financial support. These emails contain a phone number for customer assistance but when a victim calls for help, they are instead connected with a malicious call center attendant who begins the attack.
What’s clever about this new attack method is that by having victims call on their own accord, scammers are able to bypass some automated threat detection services which are only capable of flagging malicious links or attachments in emails.
Call center lures
One of Proofpoint’s researchers recently identified a financially motivated telephone-oriented attack delivery (TOAD) threat that mimicked a PayPal invoice from a weapons manufacturer in the US. After calling the number on the invoice, the researcher was told to download AnyDesk and login to his bank account.
With Justin Bieber’s 2022 Justice World Tour set to begin in February of next year, Proofpoint said it has seen the Canadian pop star being used quite frequently as a lure associated with BazaCall threats.
After calling the number on a fake ticket invoice, the firm’s researcher was put on hold with Bieber’s music playing in the background. Once the scammer got on the line, they claimed that someone had erroneously placed an order on the researcher’s credit card and by going to ziddat[.]com/code.exe, a refund could be issued. After visiting the site, the BazaLoader malware was successfully downloaded on the researcher’s virtual machine.
What makes call center-based email threats so dangerous is that the scammers behind them don’t specifically target victims based on demographics, jobs or location but likely procure their contact information from legitimate data brokerages or other telemarketer resources. Proofpoint is aware of victims losing nearly $50k in one attack with the threat actor pretending to be a representative from NortonLifeLock.
In addition to PayPal and Justin Bieber, call center-based email threat campaigns often impersonate a number of popular brands including Norton, MacAfee, eBay, GeekSquad, Santander Bank, Amazon, Symantec and others.
To prevent falling victim to these sorts of attacks, users should remain vigilant when checking their email and avoid calling the phone numbers contained in any suspicious emails, especially for items they didn’t purchase.