Is telephone contact the new era of a phishing scams?
A particularly tricky phishing campaign is currently running in the USA, which not only uses e-mail but also telephone contact. The victims receive an email informing them that their trial subscription to an obscure streaming service called BravoMovies is about to expire. If they do not make use of the telephone termination, they would be billed $ 39.99 per month in the future.
The customer service telephone number is kindly mentioned in this email. If the indignant victim calls this hotline, a sympathetic customer service representative will answer and offer to guide the victim through the cancellation process on the BravoMovies website.
In fact, the caller is supposed to be tricked into installing the BazaLoader malware. In order to end the alleged trial subscription, the victim now has to go to a “subscription” page, according to the instructions, which asks them to download an Excel file.
This in turn contains macros, which then download the malware in the background, provided macros are activated on the computer. The victim is unaware of this process and feels safe as soon as the supposed termination process has been completed.
The new scam was described by Proofpoint security researchers in a current report. They point out that the cybercriminals are particularly insidious in this case and have taken some measures to prevent the victims from becoming suspicious. For example, the supposed website of BravoMovies is quite convincing. It even contains fake movie posters that indicate the latest in-house productions. For this purpose, open-source images were given film titles and the year of publication.
At first glance, the use of a call center also seems unnecessarily complex, but the security researchers at Proofpoint emphasize that this makes the e-mail a more credible impression and arouses less suspicion. In addition, the victims enter the URL of the BravoMovies website themselves and initiate the download of the malware, which already undermines some likely activated security mechanisms.
The BazaLoader malware is currently being downloaded during the campaign as described. This opens a back door to Windows computers for attackers, which can be used as an attack vector for other malware, such as ransomware. For example, the RYUK ransomware uses BazaLoader to infect the Microsoft networks of large public organizations. The current campaign, therefore, poses a major risk.
The good news for companies and Internet users in Germany is that so far only cases have been observed in the USA. But that does not mean that such a scam is not possible with us. It is, therefore, worthwhile to remain vigilant in this country and to take appropriate steps to minimize the dangers of malware. In the current case, for example, deactivating macros would already offer certain protection. In addition, it is recommended that you generally surf the Internet without administrator rights, as malware cannot simply install itself in the background.
What about you guys?
Did you get some “crazy” call? How did you react? Tell us in the comments section below.
And see you next time on DarkWeb24.net!