Phishing is one of the oldest forms of cybercrime. It continues to grow and evolve, making it difficult for people to defend themselves.

Callback phishing scams are email campaigns that pose as expensive memberships to confuse recipients who have never signed up for these services.

The email includes a phone number the receiver may call to learn more about this “membership” and cancel it. But doing so opens the door to social engineering assaults that infect victims' devices with malware and, in some cases, full-blown ransomware attacks.

This type of attack started with what is now known as BazarCall campaigns.

Under the alias “BazarCall,” threat actors started sending emails posing as subscriptions to popular services, along with a phone number to call so they could cancel the purchase.

When a target dialed the number, the threat actors guided them through a series of prompts that ultimately resulted in downloading an Excel file infected with the BazarLoader malware. BazarLoader allowed remote access to compromised devices, which led to ransomware assaults.

The evolution

The social engineering method has changed in recent callback phishing attacks, but the bait is still an invoice from well-known service provider companies.

Once the receiver phones the number provided, they are asked for “verification” invoice data. Next, the scammer says no matching records exist, and the victim's email was spam.

The fake customer care worker tells the recipient that the spam email may have infected their computer with malware and offers to connect them with a technician. In the final step, the victim is connected to the fake technician to aid with the infection and takes them to a website where they download malware disguised as antivirus software.

In the security software campaigns, the scammers claim that the security package pre-installed on the victim's laptop has expired and has been automatically renewed. Eventually, the fraudster takes the victim to a malware-dropping canceling and refund gateway.

These tactics convince victims to download malware like BazarLoader, remote access trojans, or other remote access software.

The final step is persuading the victim to access their bank account to get the reimbursement. But the victim is deceived into paying money to the con artist by locking the victim's screen, starting a transfer-out request, then unlocking the screen when the transaction requires credentials.

After the transaction, the victim is supplied with a fake refund successful page to deceive him into believing that they have received the refund. In addition, in some cases, the threat actors send the victim an SMS stating that the money has been refunded to prevent the victim from noticing any fraud.

Of course, losing money is only one of the issues that infected users may have because the threat actors can launch new, more dangerous malware that will spy on them for a longer period and steal sensitive data.

Overall, callback phishing scams are difficult to defend against because they are constantly evolving. The best defense is to be aware of the signs of a scam, such as unexpected invoices or calls from numbers you don't recognize. If you suspect you may be a victim of a callback phishing scam, hang up and call your bank or service provider directly to verify any suspicious activity.