Recently, there has been a rise in hackers using callback phishing. One common form of this attack, known as telephone-oriented attack delivery (TOAD), starts with a phishing email that seems to be from a reputable company. The email instructs the recipient to call the phone number provided in the email.
The phone call is handled by an attacker who is skilled in social engineering and tricks the victim into installing remote access malware or legitimate remote control software, which attackers employ to gain network access and deliver ransomware.
Operators of ransomware are always refining their methods, which includes finding affiliates who fit in with their operational processes the best.
There are multiple underground recruitment drives for TOAD specialists as they are seen as essential parts of a successful ransomware threat organization.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
Here, expert callers act as an alternative to initial access brokers (IABs) in obtaining access to a system and assisting in collecting a ransom from the victim.
According to Proofpoint’s 2024 State of the Phish report, “upward of 10 million TOAD attacks are made every month, and 67% of businesses globally were affected by a TOAD attack in 2023”.
Increase in Vishing-Related Attacks
From late 2020 to early 2021, TOAD techniques were a major factor in the underground threat landscape, beginning with the BazarCall, also known as BazaCall, campaigns that disseminated the malware BazarLoader.
Other players, including ransomware groups and operators of mobile malware, used similar approaches to steal payments and sensitive data due to the high success rate of these campaigns.
The Intel471 blog reports that experts have detected more callback phishing operations. These include campaigns to distribute malware known as BokBot, also known as IcedID and IceID, and campaigns with a MasterClass online learning theme or a Standard Notes theme.
It has been found that around 60 actors provide underground call services between January 2023 and August 2024. Between January and August of 2024, there were 23 offers and 40 offers in 2023. The market has grown extremely thick, as evidenced by the compounding aggregation of various services.
Vishing-related attacks have increased since the second half of 2022, most likely as a result of several actors and threat groups looking to use TOAD techniques to grow their operations.
Researchers observed ransomware groups looking for callers for ransomware-focused attacks during the first quarter of 2024. A relatively new participant in the XSS forum was looking for English-speaking callers in July 2024 to undertake TOAD operations against US and Canadian organizations.
The callers were allegedly providing open-source intelligence (OSINT) and phone support to an unknown ransomware gang.
Clownfish voice-changing software, access to MicroSIP and Narayana software-based voice over IP (VoIP) services, the OpenVPN-based VPN client, and the “Fake Caller ID” spoofing service were among the allegedly all-inclusive tools that the callers would receive.
The M00N email spamming and phishing service provided several ways for sending phishing emails. The QuattrO aka CallMix, Procallmix underground call service was initially offered in May 2019 by a long-time user of the Verified cybercrime community, the actor Audi alias Cartman, cartman, procallmix.
The service provides common forms of fraudulent calls, such as those to banks, delivery services, online retailers, and for complex problems like placing purchases over the phone and asking for a parcel to be sent to a different location.
Recommendations
- Employees are required to recognize, remove and report any phishing attempts that contain unusual requests or grammatical mistakes.
- Sensitive information should never be disclosed over the phone, especially in response to an email with only one phone number.
- Use anti-spoofing and email authentication technologies, such as sender policy framework (SPF), DomainKeys Identified Mail (DKIM), and domain-based message authentication, reporting and conformance (DMARC).
- Harden message authentication and educate users to recognize TOAD social-engineering techniques.
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar