Brazen cyber criminals are now posing as cybersecurity companies in phishing messages which claim that the recipient has been hit by a cyber attack and that they should urgently respond in order to protect their network.
But if the recipient does respond they risk opens the door to hackers and could see their systems compromised with malware, ransomware and other dangerous cyber threats.
The phishing campaign has been detailed by researchers at Crowdstrike, which is one of several cybersecurity companies being impersonated by cyber criminals to trick victims into calling a phoney helpline which then encourages the victim into supplying remote access to their network. Crowdstrike hasn’t detailed which other cybersecurity companies are being impersonated.
The message claims to be from “your company’s outsourced data security services vendor” and suggests that “abnormal activity” and a “potential compromise” has been discovered on the network as part of a “daily network audit”.
It goes onto suggest that the cybersecurity provider is already dealing with the company’s information security team, but that they’ve also been told to contact employees about their own machines and that it’s “highly necessary” for the person receiving the email to respond to the message.
The person receiving the email is provided with an incident case number and is told to call a particular phone number to organise the audit. The example detailed by Crowdstrike also features accurate branding.
Crowdstrike describes this as “callback phishing” because when the victim calls the number, they’re connected to an operator who’ll try to persuade them to install remote administration tools (RATs) to gain access to the network.
While the victim might believe a RAT – a tool used for legitimate purposes by many IT teams – is being installed to combat an infection, they’re actually just unwittingly allowing a cyber criminal to gain initial access to the network, for exploitation down the line.
“This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches,” Crowdstike said in a blog post.
Researchers haven’t been able to identify what exactly the criminals behind this particular social engineering and phishing campaign are doing, but they note that a similar campaign identified in March this year installed remote access software to provide lateral movement around networks and install malware.
The likely end goal of the cyber criminals behind these phishing attacks is monetizing the access they’ve tricked victims into giving, potentially with ransomware attacks. That could be by the cyber criminals encrypting the network with ransomware themselves, or selling access to infected network to ransomware groups.
“CrowdStrike will never contact customers in this manner,” the company said – and anyone who receives an email like this is urged to forward it to their cybersecurity provider to investigate.