Security News > 2022 > October > Callback phishing attacks evolve their social engineering tactics
Callback phishing operations have evolved their social engineering methods, keeping old fake subscriptions lure for the first phase of the attack but switching to pretending to help victims deal with an infection or hack.
Callback phishing attacks are email campaigns pretending to be high-priced subscriptions designed to lead to confusion by the recipient as they never subscribed to these services.
This leads to a social engineering attack that deploys malware on victims' devices and, potentially, full-blown ransomware attacks.
Callback phishing attacks first appeared in March 2021 under the name "BazarCall," where threat actors began sending emails pretending to be a subscription to a streaming service, software product, or medical services company, giving a phone number to call if they want to cancel the purchase.
The social engineering process has changed in recent callback phishing campaigns, although the bait in the phishing email remains the same, an invoice for a payment made to Geek Squad, Norton, McAfee, PayPal, or Microsoft.
Another variant used in the PayPal-themed phishing attacks is to ask the victim if they use PayPal and then allegedly check their email for compromise, claiming that their account was accessed by eight devices spread across various locations worldwide.
News URL
Related news
- How to Prevent Phishing Attacks with Multi-Factor Authentication (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Darktrace: 96% of Phishing Attacks in 2024 Exploited Trusted Domains Including SharePoint & Zoom Docs (source)
- Phishing attack hides JavaScript using invisible Unicode trick (source)
- FatalRAT Phishing Attacks Target APAC Industries Using Chinese Cloud Services (source)
- CrowdStrike Security Report: Generative AI Powers Social Engineering Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- YouTube warns of AI-generated video of its CEO used in phishing attacks (source)
- Ukrainian military targeted in new Signal spear-phishing attacks (source)
- Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks (source)