Earlier in June, Microsoft Security Intelligence drew attention to BazaCall, a phony call center scam dedicated to spreading ransomware and making a quick dime off of victims’ suffering. Again Microsoft is back to give an update on it. According to Microsoft, BazaCall is more serious than the media have actually reported. For those who don’t know much about what it is, pay attention. Ransomware operators are on the move and are spreading BazaCall malware by tricking people into phoning fraudulent call centers and speaking with real humans. These humans provide step-by-step instructions on how to download a payload thereby having your data stolen.
How dangerous is the BazaCall campaign’s associated malware, exactly? Here’s how Microsoft describes it, “Apart from having backdoor capabilities, the BazaLoader payload from these campaigns also gives a remote attacker hands-on-keyboard control on an affected user’s device, which allows for a fast network compromise. In our observation, attacks emanating from the BazaCall threat could move quickly within a network, conduct extensive data exfiltration and credential theft, and distribute ransomware within 48 hours of the initial compromise” Microsoft warns.
It’s gathered that the attacks start with an email. Each message is sent from a different sender, normally through a free email service and compromised email addresses with lures including fake business names that are similar to real companies. This email utilizes various social engineering to trick unsuspected victims into calling a number. This might include informing users about a trial that’s about to expire and that their card is set to be charged, asking them to call the number provided in case they have any concerns. There are no attachments, links, or any other type of malicious call to action that would be spotted by a security filter. The tactic relies on direct phone communication, as well as sophisticated social engineering tactics to succeed. Microsoft 365 Defender Threat Intelligence Team further confirms that “BazaCall campaigns forgo malicious links or attachments in email messages in [favor] of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vising and tech support scams where potential victims are being cold-called by the attacker, except in BazaCall’s case, targeted users must dial the number.” When these users are tricked into calling the number, they’re connected with actual humans on the other end, who provide thorough and detailed guidance luring victims into installing malware on their devices.
Conclusively, once you fall for the BazaCall email and proceed with the next step, which is the phony call center and follow the rep’s instructions, automatically you’ll be giving attackers control. Hands-on control to your device’s keyboard and a free pass to steal your data and all your credentials. You’ll also be leaving the door wide open for ransomware distribution with a lot of damage done within a tiny 48-hour window. The attackers aren’t just interested in getting ransomware onto a single device; they’ll go after networks if they see openings. What makes the scam so crafty is that the email that kicks it off isn’t inherently dangerous; rather, it’s the phone call afterward.