Phishing attacks are deceptive schemes where attackers impersonate reputable entities to trick individuals into revealing “sensitive information.”
These attacks often occur via email using urgent language to prompt victims to click on “malicious links” or “download harmful attachments.”
Trustwave cybersecurity analysts recently warned of Callback Phishing attacks that target Google groups to steal login details.
Callback Phishing Attacks
Trustwave SpiderLabs documented a significant surge of “140%” in “callback phishing attacks” (aka “Telephone-Oriented Attack Delivery” or “TOAD”) between July and September.
They discovered that the attacks evolved from their earlier discovery of a “fake order spam scheme” via Google Groups.
Join ANY.RUN's FREE webinar on How to Improve Threat Investigations on Oct 23 - Register Here
This sophisticated “hybrid cyberattack” combines “traditional email phishing” with “social engineering” via “phone calls,” where threat actors employ various “TTPs.”
The attack begins with “phishing emails containing text obfuscation” (‘using base64 encoding’ and ‘invisible characters’), “image-based spam” (‘.gif files’), or “document-based lures” (‘PDF,’ ‘.txt,’ ‘.doc’ formats) impersonating legitimate brands.
.webp)
These emails prompt victims to call provided phone numbers about “fake invoices” or “account terminations” and not only that even they often evade “text-based spam filters.”
The attack then decides into three primary vectors:-
- Vishing (voice phishing) for stealing PII and banking credentials.
- Malware deployment (like “BazarCall” distributing “BazarLoader malware”).
- Remote access exploitation (as seen in “Luna Moth campaigns”).
.webp)
The scheme’s effectiveness stems from its “dual-channel approach,” which helps in incorporating “real-time social manipulation” via “phone calls,” “delayed detection due to minimal digital footprints,” and “integration with legitimate services like Calendly for scheduling fraudulent support calls.”
These things make it particularly challenging for traditional security measures to detect and prevent.
.webp)
.webp)
.webp)
.webp)
Financial platforms are experiencing sophisticated cybersecurity breaches where attackers exploit legitimate services like “PayPal,” “Xero,” “QuickBooks,” and “HoneyBook” via “callback phishing.”
These attacks leverage authentic email authentication protocols like “DKIM” (‘DomainKeys Identified Mail’) signatures and “platform-specific header stamps,” to evade security measures.
The attackers create fraudulent payment requests and invoices by sending them first to “dummy email addresses” before “forwarding them to actual victims,” thereby evading “email authentication checks.”
The malicious emails contain legitimate “From” addresses, “authentic platform links,” and “genuine website redirects,” which makes them particularly deceptive.
However, the distinguishing red flags include “suspicious payment notes,” “mismatched “To” addresses using newly registered domains,” and “fraudulent customer service phone numbers.”
This attack vector is particularly effective as it combines “social engineering” with “technical legitimacy” under which the emails pass through “security filters” since they originate from trusted financial platforms, yet they incorporate urgency triggers like “overdue payments” or “account anomalies” to manipulate victims into calling fake support numbers.
The process illustrates a sophisticated evolution of “TOAD” where attackers exploit the inherent trust in established financial platforms’ infrastructure while maintaining the human manipulation aspect of traditional phishing schemes.
Recommendations
Here below we have mentioned all the recommendations:-
- Be cautious of uninvited emails.
- Use official contacts, not email-provided numbers.
- Don’t share personal info on calls.
- Monitor bank accounts and report irregularities.
- Stay updated on phishing and also train employees.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here