Warning: This scam starts with a fake invoice. It could end with crooks stealing your data

Social engineering and phony call centers are used to trick victims into installing remote software. Then the gang steals data and threatens to leak it.
Written by Danny Palmer, Senior Writer
Frustrated male employee discussing contract details over the phone.
Image: Getty Images/iStockphoto

A cyber-extortion gang is using phishing emails, social engineering and a network of phony call centers to scam victims out of hundreds of thousands of dollars by tricking them into allowing remote access to their PC, then stealing data threatening to leak it if a ransom isn't paid. 

According to analysis of the 'callback phishing' attacks by cybersecurity researchers at Palo Alto Networks Unit 42, the social-engineering campaign is worryingly successful, which is leading to a growth in the infrastructure behind attacks, as the cyber criminals try to make as much money as possible.  

The attacks are similar to previously identified campaigns that used phishing emails containing malicious documents to trick victims into installing BazarLoader backdoor malware. The malware was used to access the network, steal data and blackmail the victim into paying an extortion fee to prevent the data being leaked. 

But this newly detailed campaign investigated by Unit 42 – dubbed Luna Moth – skips the malware infection, instead using social engineering to gain access to networks. And it has proved successful, claiming victims in multiple sectors including legal and retail, and costing some hundreds of thousands of dollars. 

Attacks begin with a phishing email to a corporate email address with a PDF attachment claiming to be a credit card invoice, usually for an amount under $1,000, perhaps because a lower figure might be less likely to arouse suspicion or get reported to finance. 

Also: Cybersecurity: These are the new things to worry about in 2023

This attachment contains a unique ID and phone number with the suggestion that, if there's a problem, the victim should call it to query or cancel the payment. The wording of the emails and attachment frequently changes to help bypass detection. 

If the victim calls the number, they're connected to a call center that is run by those behind the extortion scam and the operator can identify which company has been targeted by asking for the ID number. Then, under the false guise of helping the victim cancel the phony payment, the centre guides the victim through steps required to download and run remote access software. 

With this access, the attacker downloads and installs a remote administration tool, which allows them to maintain access to the machine and secretly enables them to look for sensitive files and servers – and to steal them. 

After the data is stolen, the attacker sends another email, demanding an extortion payment with a threat to release the information if it isn't paid. The demands are made in Bitcoin and can amount to hundreds of thousands of dollars, depending on the organization – researchers say the attackers research the annual revenue of the victim to decide on a fee. 

If the victims pay up quickly, they get a 25% 'discount' on the extortion demand. If they refuse to pay, the attackers threaten to phone customers and clients to tell them about the data breach. 

Also: Your biggest cyber-crime threat has almost nothing to do with technology

Of course, even if the victim does pay, there's no guarantee that the attackers will delete the stolen data.

"Paying the attacker did not guarantee they would follow through with their promises. At times they stopped responding after confirming they had received payment, and did not follow through with negotiated commitments to provide proof of deletion," said Kristopher Russo, senior threat researcher at Palo Alto Networks Unit 42. 

Researchers say they observed and responded to a number of these attacks between May and October this year and they all appear to be linked to the Luna Moth crime group, who are "continuing to improve the efficiency of their attack" with campaigns shifting from targeting smaller and medium-sized firms to targeting larger companies. 

It's expected that the low per-target cost, low risk of detection and fast monetization of these campaigns means attacks will continue – particularly because the reliance on social-engineering techniques instead of malware means it's easier to bypass antivirus protections. 

The researchers recommend that organizations should warn employees to be cautious about unexpected messages claiming a sense of urgency, particularly if they appear to come from an unknown sender. They also say that people should ask their own information security or IT team about any requests from external sources to install remote software. 

"All organizations should consider strengthening cybersecurity awareness training programs with a particular focus on unexpected invoices, as well as requests to establish a phone call or to install software," said Russo. 


Editorial standards