Hackers use a callback phishing campaign to impersonate cybersecurity companies to gain access to corporate networks.
Crowdstrike cybersecurity company released a statement claiming that hackers used their name to lure victims. Customers receive an impersonating email from Crowdstrike, which claims that their company has been breached, and are asked to call the given phone number.
“In a new callback phishing campaign, the hackers are impersonating CrowdStrike to warn recipients that malicious network intruders have compromised their workstations and that an in-depth security audit is required,” Crowdstrike said in a recent blog post.
The email explains in detail why a security audit is needed and how the agreement between the customer and the company obligates them to perform it. If the email recipient calls the given phone number, threat actors can direct them to a malicious website.
It is speculated that the attackers may be using remote access tools (RATs) for initial entry and penetration testing tools for lateral movement. They will likely extort data and deploy ransomware.
Crowdstrike cannot verify the variant, but attackers will supposedly attempt to monetize the operation.
The researchers at Crowdstrike found a similar campaign in March 2022. Hackers would install AteraRMM, which is RAT software, to gain initial network access and deploy malware.
Additionally, there are also similarities with the 2021 BazarCall campaign used by the Conti ransomware gang, which also used social engineering. However, just months after their data was exposed, the group shut down its operations.
Regardless of past threats, Crowstrike noted: “This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches.”
More from Cybernews:
Subscribe to our newsletter