Callback phishing messages come as unclickable images, creating a sense of urgency and providing a phone number.
The Federal Bureau of Investigation (FBI) has released an advisory for industry awareness after observing a rise in the exploitation of vulnerabilities in “vendor-controlled remote access to casino servers, third-party vendors and services.” The advisory also highlighted emerging ransomware initial access trends
Ransomware actors are reportedly targeting “smaller, tribal casinos” via gaming vendors to encrypt servers and compromise sensitive PII (personally identifiable information) of employees and patrons. To elevate network permissions, adversaries use legitimate system management tools. In this regard, the bureau pointed out Silent Ransom Group’s (SRG) activities.
As per the FBI’s advisory (PDF), this group, also known as Luna Moth, has been conducting callback phishing attacks. The attack involves tricking victims into clicking phishing links disguised as urgent account notifications.
When the victim calls the phone number, the ransomware operators instruct them to download legitimate system management tools through an email link. The group then uses these tools to install other legitimate but repurposed tools to perform malicious activities. SRG compromises local files and network-shared drives to exfiltrate data and then demands a ransom.
Knowbe4’s data-driven defence evangelist, Roger Grimes, has explained how callback phishing works in a detailed blog post, explaining that it is a “cunning form of phishing.” In this tactic, the attackers use phone numbers instead of URLs to trick unsuspecting victims, which makes it different from conventional phishing scams.
Callback phishing messages come as unclickable images, creating a sense of urgency and providing a phone number. Recipients are urged to call on the number, and are connected to overseas call centers or, as pointed out by the FBI, may lead to the attacker’s call center.
“The ultimate goal of callback phishing, whether perpetrated by ransomware groups or generic scammers, is to persuade the victim to install malicious software,” Grimes noted.
Advanced callback techniques don’t rely on custom backdoors or trojans anymore. Attackers now use semi-legitimate or legitimate remote access programs often used by admins and users to manage computers. Once exploited, these programs allow remote attackers to install additional malicious software, scripts, and screen monitoring capabilities.
In generic callback scams, scammers lure victims into transferring money, which the attackers steal. Such scams are gaining traction because they can evade anti-phishing content filters. After all, these appear as a single image, so text-based analysis becomes ineffective.
“With callback phishing, the entire message is one big picture. Many anti-phishing content filters cannot “read” the text on the picture.”
“Second, none of the anti-phishing content filters will read the phone number and then be able to determine if it is malicious or not…. So, basically, the entire phishing scam comes in as a single picture file, containing few to no clues about whether the request is malicious.”
The FBI suggests that users and organizations should regularly maintain offline data backups and ensure it is encrypted and immutable so that it cannot be altered or deleted. Moreover, periodic reviewing of the security posture of third-party vendors and external software/hardware is crucial to protect data from being exploited in suspicious activities.
Organizations can ALSO protect themselves from the SRG by implementing the following security measures:
- Keep data backups offline and encrypted
- Regularly update software and operating systems
- Have a plan for responding to ransomware attacks
- Implement strong password policies and multi-factor authentication
- Educate employees about callback phishing attacks and how to avoid them
- FBI warns of ProLock ransomware with enhanced capabilities
- FBI and NCSC Warn of Foreign Cyberattacks on US Space Sector
- FBI Warns of Extortionists Stealing Plastic Surgery Data for Ransom
- FBI warns of ransomware attacks against Food and Agriculture sectors
- FBI warns of hackers mailing malicious USB drives to spread ransomware
- US Military Personnel Hit by Unsolicited Smartwatches Linked to Data Breaches