Previously, Trustwave SpiderLabs covered a massive fake order spam scheme that impersonated a tech support company and propagated via Google Groups. Since then, we have observed more spam campaigns using this hybrid form of cyberattack with varying tactics, techniques, and procedures (TTP). Between July and September, we witnessed a 140% increase in these spam campaigns. In this blog, we will showcase the different spam techniques used in these phishing emails.
Callback phishing, or sometimes referred to as Telephone-Oriented Attack Delivery (TOAD), is a multi-layered attack that combines email spam and phone calls. This scheme involves sending out phishing emails that lure the recipient into calling the phone number listed in the email message.
Figure 1. Callback phishing general attack flow
From the months of July up to September, we observed an increase in various spam campaigns utilizing callback phishing. Fraudsters employ this technique in different types of cyberattacks and here’s how it usually plays out:
In 2020, the BazarCall scheme gained notoriety for its novel approach of delivering the BazarLoader malware. The earlier version of this attack used text-based email as its initial contact. Since then, cybercriminals have updated their social engineering tactics to lure users into calling a specific malicious phone number. In this section, we will showcase some techniques used by different phishing campaigns in evading email security tool detection.
Sometimes, phishing emails don’t use complex techniques to ensnare targets. The crux of callback phishing is the absence of the traditional malicious link or attachment in the email body. Figure 2 is an example of a text-based phishing email impersonating Binance, a cryptocurrency trading platform.
Figure 2. Text-based phishing
This email mimics a withdrawal notification message, which states that the recipient’s assets have been transferred. It lists a sizeable amount of money and the date of transfer. It’s then followed by a customer service hotline where the victim can call to cancel the supposed transaction.
We can immediately see in the From field that the sender domain is not owned by Binance. This is a relatively new sender domain. Another point to note is Binance does not use a hotline for customer support, instead it uses an AI chatbot that’s accessible via its website or mobile application.
To further enhance their evasion capabilities, some spammers use text obfuscation. This is the practice of adding various characters in between letters or words to prevent crawlers or security tools from parsing the written text message. These added characters are often invisible or indistinguishable to the naked eye, thus leaving the message still human-readable.
Figure 3. Student loan phishing
In this example, fraudsters are pretending to be a representative of a “Student-Loan Debt Department,” claiming the recipient has been marked as eligible for loan forgiveness. The target is urged to call the specified hotline during office hours to discharge the loan.
Checking the email header, we can see the encoding method used for the email body is base64.
Figure 4. Email header
Upon decoding the body, we can now see the characters “ “ (hex codes: \xc3\xaf\xc2\xbb\xc2\xbf) were inserted in between the letters of the message. These characters are rendered but not visibly shown by email clients, so the content still looks normal.
Figure 5. Deobfuscated email body
An interesting aspect of this spam example is the emphasis on the victim’s full name and home address. This insinuates the scammers have conducted reconnaissance or have obtained the victim’s basic information before crafting and sending the spam. Another thing to note is the expression of a sense of urgency throughout the message. Perhaps the biggest red flag out of all this is the fact that there is no “Student-Loan Debt Department” in the USA. Instead, the Department of Education has an office called Federal Student Aid (FSA) that handles loan processing and forgiveness.
Spammers also conceal their scam messages through email attachments. With this technique, the main content of the email is in the attachment and the message in the body is short to none. Unlike the usual malware spam, these attachments don’t contain any malicious codes.
Image-Based Spam
In an image-based spam email, the textual content is imbedded in one or more images. The image is then attached to the email. This is used to bypass text-based spam filters that are designed to detect certain words, phrases, or regular expressions (regex).
This attack uses different types of image file extensions, and our sample shown in Figure 6 uses a .gif format.
Figure 6. Phishing with GIF attachment
The main content, which is the supposed PayPal transaction summary, is embedded into the .gif file attachment. The email body itself only contains an external email header and the supposed bill number.
Text and Document Formats
Scammers also opt to use text-based or document-based file types for their scam messages. A common file type used in scam attachments is PDF, as it is extensively used in different devices. PDFs are often used in professional and legal transactions, and spammers exploit this association to trick victims into opening the attached document.
This is also the case in our sample in Figure 7. The email subject thanks the recipient for their supposed order. The message body is a short customer service notice, however, there is no mention of the sender brand or company. The sender address is from a freemail service and doesn’t bear a brand name. This vague email is sure to leave the recipient wondering about the identity of the sender company and what the transaction is.
Figure 7. Phishing with PDF attachment
The lack of details will pique the interest of the victim, and they are more likely to read the attached PDF. Upon opening the document, they are greeted with bogus payment information for a video-streaming platform.
Figure 8. Fake YouTube invoice
Other observed file extensions used in these phishing emails are text (.txt) and Microsoft Word document (.doc).
Callback phishing often aims to manipulate victims to immediately call a specified phone number. Some scammers understand that not everyone has the capability to do this as soon as they receive the scam message, so in this phishing campaign, a popular scheduling tool is incorporated in the attack.
This email is disguised as a QuickBooks notification for a version upgrade. It states the victim’s database will be wiped out if they don’t upgrade, so they’re urging the victim to get in touch with the fake customer support representative. The fake email provides an option to directly call a specified phone number or schedule a meeting with a representative.
Figure 9. QuickBooks phishing
There is an embedded link in the second button that redirects to a Calendly meeting scheduler.
Victims can pick a date for a 30-minute meeting with “QB Support”.
Figure 10. Calendly scheduler
Once the victim has chosen a date, they are prompted to enter their name, email address, and phone number to schedule the event. With this, the scammer can gain additional information about the victim.
Figure 11. Calendly data collection
Upon checking this Calendly account associated with a user named “John”, we observed other fake scheduled events relating to QuickBooks. The brand name in the event titles is abbreviated to “QB”, to not draw suspicion from the platform.
Figure 12. QuickBooks imposter Calendly account
One of the most inconspicuous techniques we have observed is the abuse of payment services and invoicing platforms. In these attacks, the email is sent using known fintech platforms.
Since these emails are sent using genuine services, almost all aspects of the email are non-malicious. Unlike previously discussed tactics where the emails are sent using newly created domains or freemail services, these emails contain legitimate “From” addresses and other headers. The embedded links are non-malicious and actually redirect to the platform’s website.
Shown in Figure 13 is a money request notification sent using PayPal. The header details such as sender address, DKIM signature, initial Received, and PayPal-specific header stamps are all consistent. Clicking the “Pay Now” button will redirect the user to the actual PayPal site.
Figure 13. Callback sent using Paypal
At first glance, everything seems normal. However, the devil is in the details. The immediately suspicious items are the payment note and the listed “To” address. The request came with a familiar note, stating that there’s an anomalous transaction on the account and to call the listed phone number that doesn’t belong to PayPal customer service. Furthermore, the “To” address is a suspicious newborn domain that doesn’t relate to the known recipient.
Another feature abused by cybercriminals is PayPal invoice which they use to send a bogus invoice for a supposed settled transaction.
Xero is a cloud-based accounting software used for invoicing, payroll, and monitoring live bank feeds. Users can send an invoice with a link and/or a document attachment containing the details of the transaction.
Figure 14. Callback phishing sent using Xero
Similar to our previous example, this email is a legitimate notification sent through the platform. This was sent on behalf of “QB Invoice”, which most likely pertains to QuickBooks. Again, the “To” field contains an email address that’s different from the known recipient. What’s different is that there is no indicated telephone number in the email body.
Viewing the full invoice, either by clicking the link or opening the PDF attachment, will reveal a convincing and proper-looking document.
Figure 15. Bogus QuickBooks invoice
In Figure 15, the bill is said to be one day overdue which raises the sense of urgency of this transaction. The terms of the invoice declares that the victim has seven days to call the bogus phone number to dispute the transaction.
HoneyBook is another cloud-based platform used for client and project management systems. It can be used for workflow automation, reporting, marketing, sales and online payments. Its platform allows the sender to share invoices in different ways, and we’ve found fraudsters are now abusing HoneyBook’s “share via email” feature.
Figure 16. Callback phishing sent using Honeybook
Our example in Figure 16 is a processed payment from a certain “T & G Store” for an iPhone 15 Pro unit. It contains the same distinguishing characteristics such as a fake customer hotline and a suspicious To address.
How are these platforms getting abused?
According to their Help Centers, users can send a money request or invoice to any customer with an email address. The receiving party doesn’t need to have an account with these platforms to receive the notification email. These features are exploited by attackers to create fake payment requests and invoices and send them to a dummy email account, hence why we see questionable “To” email addresses that do not relate to the known target victim. These emails are then forwarded to the actual victim address. This relaying process allows the spam to pass email header authentication checking.
This type of cyberattack is tricky and highly reliant on social engineering. Here are some tips on how you can protect yourself from falling victim to this scam:
Callback phishing has come a long way since its first inception and continues to evolve becoming more sophisticated. It combines traditional phishing techniques, such as brand impersonation and instilling urgency, with direct human interaction. From text-based spam, scam attachments to abuse of various platforms such as Calendly, PayPal, Xero and HoneyBook,– attackers will use every trick to bait victims into engaging with them.
Callback phishing and other forms of TOAD is a growing threat and will continue to develop and adapt against email security tools. We are urging the public to stay vigilant against suspicious and unsolicited emails and keep abreast of the latest spam and phishing schemes.
Attribution: The icons used in the flowchart are from Smashicon - Flaticon