Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails

Introduction

Previously, Trustwave SpiderLabs covered a massive fake order spam scheme that impersonated a tech support company and propagated via Google Groups. Since then, we have observed more spam campaigns using this hybrid form of cyberattack with varying tactics, techniques, and procedures (TTP). Between July and September, we witnessed a 140% increase in these spam campaigns. In this blog, we will showcase the different spam techniques used in these phishing emails.

Callback Phishing

Callback phishing, or sometimes referred to as Telephone-Oriented Attack Delivery (TOAD), is a multi-layered attack that combines email spam and phone calls. This scheme involves sending out phishing emails that lure the recipient into calling the phone number listed in the email message.

Figure 1. Callback phishing general attack flow

From the months of July up to September, we observed an increase in various spam campaigns utilizing callback phishing. Fraudsters employ this technique in different types of cyberattacks and here’s how it usually plays out:

1. The Arrival of Phishing Email
   Attackers send out phishing emails with certain lures, such as, a fake order invoice or an account termination notice. The social engineering included with these emails often sees them disguised as a trusted organization or brand and contains a bogus customer hotline number that purportedly can be called for dispute resolution.

2. Victim Reaches Out Through Phone Call
   Unsuspecting victims will then contact the listed telephone number. These are legitimate, working phone numbers and waiting on the other end of the line are cybercriminals.

3. Interaction with Attackers
   The scammers posing as customer service agents will use the pretext of resolving the supposed issue mentioned in the email. The next phase of the attack can vary and it’s usually either one of the three:

1. Vishing
   Attackers will interrogate the victim for their personally identifiable information (PII), banking credentials, and other relevant details.

2. Malware Download and Infection
   In some campaigns including BazarCall, victims are instructed to visit a website that will directly download malware, such as a document with malicious macros. Attackers will guide them through the installation process. The infected machine is used for stealing information, reconnaissance, and installing follow-up malware.

3. Remote Access Control
   To settle the issue, the attackers will instruct the victim to download a remote administration tool and invite them to a meeting session. Once the victim is connected, attackers will take control of their machine via remote access. In some campaigns, such as, Luna Moth, attackers blank out the screen to hide their actions. They will then proceed to steal information or install another malware for further exploitation.
   This ruse is unique compared to other cyberattack types because the attackers are counting on the victim to respond to the email via phone call. This attack is particularly cunning due to the key characteristics used in its dual-channel approach. These include:

• Increased Interaction via a Phone Call
  A phone call provides real-time and dynamic communication between the victim and fraudsters. In a direct conversation, attackers can continue to manipulate and dispel hesitations. The attacker often emphasizes the urgency of the matter, which might influence the victim into making a rash decision, such as divulging sensitive information.
• Delayed Detection
  Once the attack reaches the phone call stage, there will be no immediate digital trace unless the call is recorded. Unsuspecting victims may only grasp the gravity of the situation when the damage is already done.
• Brand Impersonation
  Phishing attacks often exploit the recognition of different brands or organizations. Attackers leverage this trust by disguising themselves as a reputable brand, which increases the chances of deceiving a victim.
  This attack relies heavily on social engineering to progress, so it is important for recipients to identify the email tactics that fraudsters use and stop the attack before it even begins. In the following sections, we will discuss the numerous techniques used by scammers when crafting and sending the initial phishing mail.

Evasion Techniques Used in the Email Body

In 2020, the BazarCall scheme gained notoriety for its novel approach of delivering the BazarLoader malware. The earlier version of this attack used text-based email as its initial contact. Since then, cybercriminals have updated their social engineering tactics to lure users into calling a specific malicious phone number. In this section, we will showcase some techniques used by different phishing campaigns in evading email security tool detection.

Text-Based Spam

Sometimes, phishing emails don’t use complex techniques to ensnare targets. The crux of callback phishing is the absence of the traditional malicious link or attachment in the email body. Figure 2 is an example of a text-based phishing email impersonating Binance, a cryptocurrency trading platform.

Figure 2. Text-based phishing

This email mimics a withdrawal notification message, which states that the recipient’s assets have been transferred. It lists a sizeable amount of money and the date of transfer. It’s then followed by a customer service hotline where the victim can call to cancel the supposed transaction.

We can immediately see in the From field that the sender domain is not owned by Binance. This is a relatively new sender domain. Another point to note is Binance does not use a hotline for customer support, instead it uses an AI chatbot that’s accessible via its website or mobile application.

Text Obfuscation

To further enhance their evasion capabilities, some spammers use text obfuscation. This is the practice of adding various characters in between letters or words to prevent crawlers or security tools from parsing the written text message. These added characters are often invisible or indistinguishable to the naked eye, thus leaving the message still human-readable.

Figure 3. Student loan phishing

In this example, fraudsters are pretending to be a representative of a “Student-Loan Debt Department,” claiming the recipient has been marked as eligible for loan forgiveness. The target is urged to call the specified hotline during office hours to discharge the loan.

Checking the email header, we can see the encoding method used for the email body is base64.

Figure 4. Email header

Upon decoding the body, we can now see the characters “ “ (hex codes: \xc3\xaf\xc2\xbb\xc2\xbf) were inserted in between the letters of the message. These characters are rendered but not visibly shown by email clients, so the content still looks normal. 

Figure 5. Deobfuscated email body

An interesting aspect of this spam example is the emphasis on the victim’s full name and home address. This insinuates the scammers have conducted reconnaissance or have obtained the victim’s basic information before crafting and sending the spam. Another thing to note is the expression of a sense of urgency throughout the message. Perhaps the biggest red flag out of all this is the fact that there is no “Student-Loan Debt Department” in the USA. Instead, the Department of Education has an office called Federal Student Aid (FSA) that handles loan processing and forgiveness.

Attachment-Based Attacks

Spammers also conceal their scam messages through email attachments. With this technique, the main content of the email is in the attachment and the message in the body is short to none. Unlike the usual malware spam, these attachments don’t contain any malicious codes.

Image-Based Spam

In an image-based spam email, the textual content is imbedded in one or more images. The image is then attached to the email. This is used to bypass text-based spam filters that are designed to detect certain words, phrases, or regular expressions (regex).

This attack uses different types of image file extensions, and our sample shown in Figure 6 uses a .gif format.

Figure 6. Phishing with GIF attachment

The main content, which is the supposed PayPal transaction summary, is embedded into the .gif file attachment. The email body itself only contains an external email header and the supposed bill number.

Text and Document Formats

Scammers also opt to use text-based or document-based file types for their scam messages. A common file type used in scam attachments is PDF, as it is extensively used in different devices. PDFs are often used in professional and legal transactions, and spammers exploit this association to trick victims into opening the attached document.

This is also the case in our sample in Figure 7. The email subject thanks the recipient for their supposed order. The message body is a short customer service notice, however, there is no mention of the sender brand or company. The sender address is from a freemail service and doesn’t bear a brand name. This vague email is sure to leave the recipient wondering about the identity of the sender company and what the transaction is.

Figure 7. Phishing with PDF attachment

The lack of details will pique the interest of the victim, and they are more likely to read the attached PDF. Upon opening the document, they are greeted with bogus payment information for a video-streaming platform.

Figure 8. Fake YouTube invoice

Other observed file extensions used in these phishing emails are text (.txt) and Microsoft Word document (.doc).

Abuse of Appointment Scheduling Platform

Callback phishing often aims to manipulate victims to immediately call a specified phone number. Some scammers understand that not everyone has the capability to do this as soon as they receive the scam message, so in this phishing campaign, a popular scheduling tool is incorporated in the attack.

This email is disguised as a QuickBooks notification for a version upgrade. It states the victim’s database will be wiped out if they don’t upgrade, so they’re urging the victim to get in touch with the fake customer support representative. The fake email provides an option to directly call a specified phone number or schedule a meeting with a representative.

Figure 9. QuickBooks phishing

There is an embedded link in the second button that redirects to a Calendly meeting scheduler.

Victims can pick a date for a 30-minute meeting with “QB Support”.

Figure 10. Calendly scheduler

Once the victim has chosen a date, they are prompted to enter their name, email address, and phone number to schedule the event. With this, the scammer can gain additional information about the victim.

Figure 11. Calendly data collection

Upon checking this Calendly account associated with a user named “John”, we observed other fake scheduled events relating to QuickBooks. The brand name in the event titles is abbreviated to “QB”, to not draw suspicion from the platform.

Figure 12. QuickBooks imposter Calendly account

Abuse of a Financial Platform for Spam Delivery

One of the most inconspicuous techniques we have observed is the abuse of payment services and invoicing platforms. In these attacks, the email is sent using known fintech platforms.

Since these emails are sent using genuine services, almost all aspects of the email are non-malicious. Unlike previously discussed tactics where the emails are sent using newly created domains or freemail services, these emails contain legitimate “From” addresses and other headers. The embedded links are non-malicious and actually redirect to the platform’s website.

PayPal

Shown in Figure 13 is a money request notification sent using PayPal. The header details such as sender address, DKIM signature, initial Received, and PayPal-specific header stamps are all consistent. Clicking the “Pay Now” button will redirect the user to the actual PayPal site.

Figure 13. Callback sent using Paypal

At first glance, everything seems normal. However, the devil is in the details. The immediately suspicious items are the payment note and the listed “To” address. The request came with a familiar note, stating that there’s an anomalous transaction on the account and to call the listed phone number that doesn’t belong to PayPal customer service. Furthermore, the “To” address is a suspicious newborn domain that doesn’t relate to the known recipient.

Another feature abused by cybercriminals is PayPal invoice which they use to send a bogus invoice for a supposed settled transaction.

Xero

Xero is a cloud-based accounting software used for invoicing, payroll, and monitoring live bank feeds. Users can send an invoice with a link and/or a document attachment containing the details of the transaction.

Figure 14. Callback phishing sent using Xero

Similar to our previous example, this email is a legitimate notification sent through the platform. This was sent on behalf of “QB Invoice”, which most likely pertains to QuickBooks. Again, the “To” field contains an email address that’s different from the known recipient. What’s different is that there is no indicated telephone number in the email body.

Viewing the full invoice, either by clicking the link or opening the PDF attachment, will reveal a convincing and proper-looking document.

Figure 15. Bogus QuickBooks invoice

In Figure 15, the bill is said to be one day overdue which raises the sense of urgency of this transaction. The terms of the invoice declares that the victim has seven days to call the bogus phone number to dispute the transaction.

HoneyBook

HoneyBook is another cloud-based platform used for client and project management systems. It can be used for workflow automation, reporting, marketing, sales and online payments. Its platform allows the sender to share invoices in different ways, and we’ve found fraudsters are now abusing HoneyBook’s “share via email” feature.

Figure 16. Callback phishing sent using Honeybook

Our example in Figure 16 is a processed payment from a certain “T & G Store” for an iPhone 15 Pro unit. It contains the same distinguishing characteristics such as a fake customer hotline and a suspicious To address.

How are these platforms getting abused?

According to their Help Centers, users can send a money request or invoice to any customer with an email address. The receiving party doesn’t need to have an account with these platforms to receive the notification email. These features are exploited by attackers to create fake payment requests and invoices and send them to a dummy email account, hence why we see questionable “To” email addresses that do not relate to the known target victim. These emails are then forwarded to the actual victim address. This relaying process allows the spam to pass email header authentication checking.

Countermeasures

This type of cyberattack is tricky and highly reliant on social engineering. Here are some tips on how you can protect yourself from falling victim to this scam:

1. Always be suspicious of any unsolicited emails, even if it’s sent using legitimate platforms or contains a genuine looking “From” email address.

2. If you receive an email urging you to call a listed phone number, do not call it directly. Instead, head over to the company’s official website and look up the contact details.

3. If you do choose to call a hotline, be sure to not share personal details such as passwords or financial details.

4. Monitor your bank accounts and statements independently when you receive an email that a payment has been made on your behalf. If you do find any irregularities, call the reputable customer hotline of your financial institution to report the case.
5. Organizations should stay updated on spam and phishing trends and conduct regular security awareness training for employees.

Conclusion

Callback phishing has come a long way since its first inception and continues to evolve becoming more sophisticated. It combines traditional phishing techniques, such as brand impersonation and instilling urgency, with direct human interaction. From text-based spam, scam attachments to abuse of various platforms such as Calendly, PayPal, Xero and HoneyBook,– attackers will use every trick to bait victims into engaging with them.

Callback phishing and other forms of TOAD is a growing threat and will continue to develop and adapt against email security tools. We are urging the public to stay vigilant against suspicious and unsolicited emails and keep abreast of the latest spam and phishing schemes.

Attribution: The icons used in the flowchart are from Smashicon - Flaticon