What happened?
Researchers at Abnormal have discovered the latest evolution in callback phishing campaigns.
Callback phishing?
Traditional phishing emails may contain malicious links or attachments and use social engineering techniques to lure recipients into clicking on them.
Callback phishing tricks unsuspecting victims into calling a fraudulent call center, where they will speak to a real person who then tricks them into downloading and running malware, providing malicious hackers with remote access to their PCs. access.
How could I be tricked into calling a fake call center?
It might be easier than you think. You may know the real website address of services like PayPal, Norton, GeekSquad or Disney+, but do you know the phone number for their support desk?
So all a malicious hacker has to do is send me an email from the service I use giving me a compelling reason to call them…
….Maybe you can just call the number in the email.
Here’s an example of a scam email from PayPal claiming that Netflix has charged you nearly $500. If you don’t recognize the transaction, please call support.
Well, I know what that might do to some people. But I could certainly just look at the email header and determine that it’s not actually from the company it claims to be.
Well, yes, you probably would…if you were nerdy enough to check your email so intently. But most people don’t bother doing that.
Additionally, the latest attacks exploit Google Forms in a rather clever way, making their return phishing emails even more believable.
clever?
I think so.
Here’s what’s going on behind the scenes of the latest BazarCall (also known as BazaCall) attack discovered by Abnormal security researchers.
The first step is for the attacker to create a false claim in a Google form that includes a thank you message for payment and tells readers to call a number if they wish to stop their purchase.
This is your electronic statement This is your PayPal payment invoice stating that you purchased Norton Life Lock Antivirus for $342.91. To stop this purchase please call: (830)715-4627
Next, the attacker changes the form’s settings to automatically send a copy of the completed form to any email address entered into the form.
Then, and this is where things really start to get clever, the attacker sends an invitation to fill out a form they themselvesrather than their intended victims.
Therefore, the attacker receives an invitation to fill out a form – when they complete the form, they enter their message Intended victim’s email address Become the form, not your own.
Ugh! So the victims were given a statement telling them to call a phone number if they wanted to dispute the charges.
correct!
But I don’t think this is any better for the attacker than sending a callback phishing email directly to the victim. Why use Google Forms?
The attacker took advantage of the fact that the email was sent directly through Google Forms (from the google.com domain). It’s an established, legitimate domain that helps make emails appear more legitimate and less likely to be intercepted by email filtering solutions along the way.
This is really cunning.
Isn’t it? That’s why businesses and individuals should be vigilant and think twice before calling a customer support call center. Are you sure the number you are calling is a genuine support center, or could it be run by cybercriminals?
So what does Google think of all this?
A Google spokesperson told us, “Workspace has multiple layers of defenses in place to keep users safe. We are aware of recent phishing attacks using Forms, and while these appear to be targeting only a small number of users, we are working to improve detection.”
Editor’s note: The views expressed in this guest author article are those of the contributor and do not necessarily reflect the views of Tripwire
