Be careful on the phone: Proofpoint’s security experts are registering an increase in attacks in which attackers take advantage of a sophisticated ecosystem of call center-based e-mail threats. In contrast to classic telephone fraud, in which perpetrators usually call their victims directly, the cybercriminals rely on the potential victims to pick up the phone themselves and thus initiate the interaction. This creates supposed security for the victims, as they become active themselves.
But the damage can also be immense for private individuals. Email fraud supported by call centers is not a new phenomenon, but the perpetrators are becoming more professional. In many cases, victims lose tens of thousands of euros stolen straight from their bank accounts. In the attacks, the perpetrators mainly focus on Germany, the United States, Australia and India.
In general, there are two types of call center threats that Proofpoint monitors on a regular basis: One uses free, legitimate remote maintenance software to steal money. The other involves spreading malware disguised as a document to compromise a computer. In the latter case, follow-up infections can also occur if further malware is reloaded.
This second type of attack regularly uses the BazaLoader malware, which is why this approach is also known as BazaCall. Proofpoint combines both types of attack under the abbreviation TOAD (for Telephone-oriented Attack Delivery).
In the recently observed attacks, the victims receive emails in which the attackers pretend to be representatives of organizations – for example ticket dealers for Justin Bieber concerts, cybersecurity companies, corona relief funds or online dealers – and reimbursements for erroneous purchases, software Promise updates or financial aid. The e-mails contain a telephone number for the supposed customer service. As soon as the victims call that number, they are connected directly to one of the fraudulent call center agents and the attack begins.
Although assigning TOAD activities to specific groups is a challenge, Proofpoint was able to identify several activity clusters in India. Most of the activities in this context take place in three cities: Kolkata, Mumbai and New Delhi. Proofpoint was also able to locate several physical locations of the perpetrators, for example the Matrix Tower in Mumbai, based on the interactions of the perpetrators with the security experts and based on publicly available information shared in fraud forums and on YouTube.
Sherrod DeGrippo, VP, Threat Research and Detection at Proofpoint, commented on Proofpoint’s latest findings on cybercrime via call centers: “Cybercriminals get very creative with their bait. A fake receipt for a Justin Bieber ticket or the purchase of a firearm can usually attract enough attention to deceive even the most vigilant email recipient. If the recipient reacts to this and tries to challenge the alleged costs, an ingenious chain of infection follows, which requires considerable human interaction. The victims can have the worst experience with fake customer service that one can only imagine and which ultimately leads to theft of money or a malware infection. “