You are using an older browser version. Please use a supported version for the best MSN experience.

Don’t fall for those emails telling you about a subscription charge

The Washington Post logo The Washington Post 11/21/2022 Tim Starks, Aaron Schaffer

Welcome to The Cybersecurity 202! I wish you luck on getting work done this week as you daydream about Thanksgiving dinner.

Below: Twitter could see outages and bugs, and Amazon is shuttering a free encrypted messaging service. First:

‘Callback phishing’ is all the rage for hackers

Hackers have been doing “callback phishing” since at least 2020. (Josep Lago/AFP/Getty Images) © Josep Lago/AFP/Getty Images Hackers have been doing “callback phishing” since at least 2020. (Josep Lago/AFP/Getty Images)

Hackers are stepping up their attempts to lure people into calling them to try to reverse fake payments and charges, according to research out this morning.

A campaign by a group known as “Luna Moth” and “Silent Ransom Group” has “cost victims hundreds of thousands of dollars and is expanding in scope,cybersecurity firm Palo Alto Networks’s Unit 42 said in its report.

The warning comes as Americans face relentless scam calls — and get little relief. By doing “callback phishing,” attackers prey on victims’ desire to not get billed for things they didn’t purchase. The tactic uses the targets’ impulses to cut expenses in a slowing economy against them.

Callback phishing schemes have “revolutionized data breaches,” AdvIntel researchers said in August in a report that focused on three separate groups conducting them.

Palo Alto Networks has responded to several cases involving Silent Ransom/Luna Moth.

The group has shown particular precision, Palo Alto Networks said. “This threat actor has significantly invested in call centers and infrastructure that’s unique to each victim,” its report said. Early on, the group would use recycled phone numbers, but it has begun to use unique phone numbers for each victim, limiting the ability of victims to easily detect whether they’re malicious, Palo Alto Networks said.

  • Silent Ransom/Luna Moth is an offshoot of notorious ransomware gang Conti, according to AdvIntel. Palo Alto Networks said it couldn’t make a similar attribution yet.

The cases involving Silent Ransom/Luna Moth that Palo Alto Networks worked on “show a clear evolution of tactics that suggests the threat actor is continuing to improve the efficiency of their attack,” the company said. “Cases analyzed at the beginning of the campaign targeted individuals at small- and medium-sized businesses in the legal industry. In contrast, cases later in the campaign indicate a shift in victimology to include individuals at larger targets in the retail sector.”

How it works

Hackers have been using callback phishing since at least 2020, when the ransomware gang Ryuk began employing it.

Here’s the process:

  • A target receives an email, saying that they’ll be billed for a subscription or payment. The email gives a phone number to call if they have any issues.
  • When the target calls to dispute the charge, the call center purportedly walks them through steps they have to do on their computers. Instead, the call center actually gets the target to download a tool that gives attackers remote access to their computer.
  • Once inside a victim’s systems, the attackers can steal an organization’s data and hold it for ransom.

And here’s a sample phone call from Palo Alto Networks:

How it’s evolving

Callback phishing has seen an extraordinary burst in frequency of late.

From the beginning of 2021 to the second quarter of 2022, callback phishing increased by 625 percent, email security company Agari calculated.

Malicious hackers carrying out the schemes are shifting their thinking to be more targeted and sophisticated in trying to hit specific victims, according to researchers from AdvIntel who wrote about three groups carrying out the attacks in an August report.

The attackers have gotten more sophisticated in their tricks. Earlier versions of callback phishing relied on victims downloading malware. Silent Ransom/Luna Moth, by contrast, doesn’t require its victims to download any malware at all, with the hackers instead relying on commercial tools designed to let IT administrators get remote access to computers and other publicly available tools, cybersecurity firm Sygnia said in a July report.

That can make the hackers harder to detect because legitimate tools are less likely to set off alarms with traditional anti-virus products, Palo Alto Networks said.

Callback phishing has been far more precise than ransomware’s random and repetitive targeting, AdvIntel said. Hackers have created phishing messages that are tailored to specific victims, the firm said.

  • It’s also less reliant on technical expertise, instead focusing on human fallibility. And hackers have taken notice. “We can’t win the technology war because on this ground we compete with billion-dollar companies, but we can win the human factor,” said one Conti member in internal communications, according to AdvIntel.
  • It requires more resources, though, Unit 42 Senior Threat Researcher Kristopher Russo told me. “It requires the threat actor to allocate someone to take the call with the victim, walk them through downloading the remote assist software and keep them on the line long enough to install the remote management software,” he said. “These attackers would also need to have business operations set up to track things like a reference number to have the details of the campaign against the victim including name, email, amount and service they sent the phishing email saying they’re subscribed to.”

Other groups relying on the technique include Quantum and Roy/Zeon, AdvIntel said. The Royal ransomware group also has reportedly dabbled with the method.

In trying to come up with a way to defend the attacks, cybersecurity researchers are also turning to the human factor.

“Since there are very few early indicators that a victim is under attack, employee cybersecurity awareness training is the first line of defense,” Palo Alto Networks advised.

The keys

Twitter users prepare for potential bugs, outages

Some critical Twitter teams have been whittled down to just one engineer — or none — after an exodus of hundreds of employees last week, Joseph Menn and Cat Zakrzewski report. That makes the site likely to crash eventually, engineers said.

“Every mistake in code and operations is now deadly,” according to a former engineer who left Twitter last week. Those left “are going to be overwhelmed, overworked and, because of that, more likely to make mistakes.” The systems could slowly degrade, it could take a longer time to fix bugs or Twitter could break when engineers implement Musk’s ideas on top of Twitter’s software, according to former employees.

The staffing changes could also affect content on the site. “Half the trust and safety policy team resigned, including a majority of those who work on spotting misinformation, spam, fake accounts and impersonation,” my colleagues write, citing two employees familiar with the team. “Many of those who chose to stay did so to keep their health insurance or because they would be subject to deportation without a job.”

Amazon Web Services says it’s shutting down a free encrypted messaging service

Amazon Web Services acquired Wickr last year. (Patricia De Melo Moreira/AFP/Getty Images) © Patricia De Melo Moreira/AFP/Getty Images Amazon Web Services acquired Wickr last year. (Patricia De Melo Moreira/AFP/Getty Images)

Wickr Me will stop accepting new users at the end of December and the consumer messaging service will shut down at the end of 2023, the Verge’s Emma Roth reports. The announcement comes around 17 months after Amazon Web Services announced its acquisition of Wickr. Wickr says its paid offerings won’t be affected.

“Recent reports suggest the app has become an outlet for criminals, with NBC News reporting in June that the app is ‘a go-to destination’ for people who want to share images of child sex abuse,” Roth writes. “It’s also been implicated in the past as a hub for drug dealers who’ve been forced off the dark web.”

(Amazon founder Jeff Bezos owns The Washington Post.)

European data protection chiefs: Qatar World Cup apps pose security risks

European data regulators are warning against downloading Qatar's World Cup apps, citing big privacy risks, Politico reports.

Foreign visitors have been asked to download the World Cup's official app, Hayya, and visitors to health care facilities are required to download Ehteraz, an infection-tracking app.

“One of the apps collects data on whether and with which number a telephone call is made,” the German authority said. “The other app actively prevents the device on which it is installed from going into sleep mode. It is also obvious that the data used by the apps not only remain locally on the device, but are also transmitted to a central server.”

The Qatari government didn't immediately respond to requests for comment from the publication.

Cyber insecurity

New attacks use Windows security bypass zero-day to drop malware (Bleeping Computer)

Global cyberspace

Israel Public Defender's Office slams state for abuse of power in hacking cell phones (Jerusalem Post)

Secure log off

Thanks for reading. See you tomorrow.


More From The Washington Post

The Washington Post
The Washington Post
image beaconimage beaconimage beacon