Microsoft Doesn’t Call You Unsolicited
Hackers Employs Phishing Scam
Fake call centers and dubious Microsoft representatives have become a staple of the scammer’s toolbox, often used to install malware or spyware under the guise of “fixing” the user’s devices. As the tactics become more well known and victims become harder to convince, hackers are creating more complex campaigns to tailor fit phishing attempts to targeted users.
The cybercriminal gang Luna Moth has enacted one such campaign, focusing on legal and retail companies since May this year with a specialized Callback phishing scheme. While regular Callback schemes rely on installing malware to monitor and steal data in the background, this campaign relies on using legitimate methods to bypass antivirus and mail spam filtering systems.
The scheme begins with an email sent posing as businesses with subscription systems, informing the user of a fabricated membership purchase with a PDF invoice attached. While the PDF is not dangerous, it includes a 9- or 10-digit confirmation number, used by the scammers to identify the specific victims. Victims are given a support line to call to cancel the subscription, which is staffed by agents employed by Luna Moth. The agents install legitimate monitoring software such as Zoho Assist on the victim’s PC, or other software with persistent sessions such as Syncro or WinSCP. After finishing the mock session, Agents would reconnect to the PC hours or weeks later to download all personal and financial information to a remote server.
After the information has been extracted, the hackers will send an email to the user extorting them for Bitcoin, demanding payment. If payment is not given, the group threatens to release the information to the Dark Web, and email related customers and clients in order to pressure the victim to pay. Payment would not guarantee the safety of victim’s data, as the data was often sold after payment regardless.
As there is little warning or indication of an impending attack, IT professionals recommend being wary of unsolicited invoices, especially if they invoke urgency on the user. Never respond directly to suspicious invoices, report them to your IT department immediately as others within your company may also be targeted.