Hackers are impersonating well-known cybersecurity companies in callback phishing emails to gain initial access to corporate networks. CrowdStrike have been recently targeted.
Most phishing campaigns embed malicious links that lead to landing pages that steal login credentials or emails that include harmful attachments to install malware.
Over the past year, threat actors have increasingly used “callback” phishing campaigns that impersonate well-known cybersecurity companies requesting victims to call a number to resolve a problem, cancel a subscription, or to discuss other issues.
When the target calls the number, the threat actors employ social engineering tactics to convince users to install remote access software on their devices. This provides the threat actors with access to corporate networks. This access is then used to compromise the whole Windows domain.
Focusing on social engineering, a new phishing campaign has surfaced recently, where hackers impersonating CrowdStrike try to warn recipients that a malicious network intruder has compromised their workstations and that an in-depth security audit is urgently required.
The email asks employees to ring them on an enclosed phone number to schedule the audit.
If called, the hackers will guide an employee through installing remote administration tools (RATs) that give the threat actor complete control over the workstation.
Further tools are then remotely installed by the threat actor which allows them to spread laterally through the network, potentially stealing data and deploying ransomware to encrypt devices.
CrowdStrike warns, “this is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches.”
In March 2022, CrowdStrike’s analysts identified a similar campaign in which threat actors used AteraRMM to install Cobalt Strike and then move laterally across a victim’s network before deploying malware.