Warning: This scam starts with a fake invoice. It could end with crooks stealing your data

A cyber extortion gang is using phishing emails, social engineering and network of phony call centers to scam victims out of hundreds of thousands of dollars by tricking them into allowing remote access to their PC, then stealing data threatening to leak it if a ransom isn’t paid. 

According to analysis of the ‘callback phishing’ attacks by cybersecurity researchers at Palo Alto Networks Unit 42, the social engineering campaign is worryingly successful – which is leading to a growth in the infrastructure behind attacks, as the cyber criminals try to make as much money as possible.  

The attacks are similar to previously identified campaigns which used phishing emails containing malicious documents to trick victims into installing BazarLoader backdoor malware. The malware was used to access the network, steal data and blackmail the victim into paying an extortion fee to prevent the data being leaked. 

But this newly detailed campaign investigated by Unit 42 – dubbed Luna Moth – skips the malware infection, instead using social engineering to gain access to networks – and it’s proved successful, claiming victims in multiple sectors including legal and retail and costing some hundreds of thousands of dollars. 

Attacks begin with a phishing email to a corporate email address with a PDF attachment claiming to be a credit card invoice, usually for an amount under $1,000, perhaps because a lower figure may be less likely to arouse suspicion or get reported to finance. 

Also: Cybersecurity: These are the new things to worry about in 2023

This attachment contains a unique ID and phone number with the suggestion that if there’s a problem, the victim should call it to query or cancel the payment. The wording of the emails and attachment frequently changes to help bypass detection. 

If the victim calls the number, they’re connected to a call center which is run by those behind the extortion scam and the operator can identify which company has been targeted by asking for the ID number. Then, under the false guise of helping the victim cancel the phony payment, guides the victim through steps required to download and run remote access software. 

With this access, the attacker downloads and installs a remote administration tool, which allows them to maintain access to the machine and secretly enable them to look for sensitive files and servers – and steal them. 

After the data is stolen, the attacker will send another email, demanding an extortion payment with a threat to release the information if it isn’t paid. The demands are made in Bitcoin and can amount to hundreds of thousands of dollars, depending on the organization – researchers say they attackers research the annual revenue of the victim to decide on a fee. 

If the victims pay up quickly, they get a 25% ‘discount’ on the extortion demand – while if they refuse to pay, the attackers threaten to phone customers and clients to tell them about the data breach. 

Also: Your biggest cyber-crime threat has almost nothing to do with technology

Of course, even if the victim does pay, there’s no guarantee that the attackers will delete the stolen data.

“Paying the attacker did not guarantee they would follow through with their promises. At times they stopped responding after confirming they had received payment, and did not follow through with negotiated commitments to provide proof of deletion,” said Kristopher Russo, senior threat researcher at Palo Alto Networks Unit 42. 

Researchers say they observed and responded to a number of these attacks between May and October this year and they all appear to be linked to the Luna Moth crime group, who are “continuing to improve the efficiency of their attack” with campaigns shifting from targeting smaller and medium sized to targeting larger companies. 

It’s expected that low per-target cost, low risk of detection and fast monetization of these campaigns means that attacks will continue – particularly because the reliance on social engineering instead of malware can bypass anti-virus protections. 

It’s recommended that organizations should warn employees to be cautious about unexpected messages claiming a sense of urgency, particularly if they appear to come from an unknown sender and that people should ask their own information security or IT team about any requests from external sources to install remote software. 

“All organizations should consider strengthening cybersecurity awareness training programs with a particular focus on unexpected invoices, as well as requests to establish a phone call or to install software,” said Russo. 

MORE ON CYBERSECURITY