Researchers at cybersecurity research firm Crowdstrike have discovered a phishing campaign impersonating multiple cybersecurity firms (including Crowdstrike) to trick users into installing malware on their systems.
The campaign involves messages sent to a target disguised as coming from a legitimate cybersecurity firm reporting them that they’ve been affected by a cyberattack and need to respond urgently. The message directs victims to a shady helpline from where threat actors direct them to allow remote access. Once an attacker gains initial access, the user’s systems and network can be infected by malware or ransomware.
Crowdstrike calls this “callback phishing”, and an example of these messages shared by them feature accurate Crowdstrike branding. The researchers haven’t yet revealed what companies are being impersonated.
The message claims to be coming from the recipient’s company’s outsourced data vendor and alerts them about abnormal activity and a potential breach being detected on their network as part of a “daily network audit”.
The recipient is then suggested to call a helpline on which an operator takes them through installing a Remote Administration Tool (RAT), a legitimate network utility used by many network admins, to gain access to their network.
The researchers haven’t been able to figure out yet what the threat actors behind the phishing campaign are trying to do; however, a similar campaign noted back in March suggests that the remote access software that victims are being tricked into installing can be used for lateral movement inside the network to infect more machines with malware.
This means that the likely end goal here is to monetise this unfettered network access and infections by potentially installing ransomware. This can either be done by the attacking group encrypting the infected devices with ransomware themselves or selling their access to another ransomware group.
Crowdstrike reminded readers that the company will never contact its customers in this manner, adding that should anyone receive similar messages, they should forward them to their cybersecurity provider for further investigation.
In the News: Signal on Android gets a new threaded view
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars.
You can contact him here: [email protected]