Microsoft’s cybersecurity team announced Monday it detected a clever phishing campaign, known as BazaCall, which has tricked users into contacting a call center where they would unknowingly be directed to install ransomware to their computer.
According to screenshots from Microsoft’s Security Intelligence team, users received phishing emails urging them to cancel a free trial to a fake company or service before they get charged.
One email asked users if they would like to continue using a “photoshop service” called ZonerPhoto. “Seems like you do! You have given your payment info and agreed to continue using ZonerPhoto during the sign up process!” the email read.
The email then urged recipients to call a number in order to cancel or manage their subscription. If you signed up for a free trial of Disney+ just to watch a season of The Mandalorian and scrambled to cancel it hours before it started charging you, you might see why this is a clever scam. In reality, these users were being directed to a call center where hackers would instruct them to unknowingly download malware to their computer.
“The lack of malicious elements in the emails can be a challenge for detection,” Microsoft tweeted.
Once a victim calls the call center, they’re asked to provide a customer ID number from the phishing email they received, which is what identifies them as the targeted victim. According to a recent report from Bleeping Computer, the customer ID is a “core component of the attack” as it allows them to identify which company received those phishing emails.
The caller’s then instructed to download an Excel spreadsheet that appears to be a subscription cancellation form but actually contains a macro, or a small program which can be embedded into a document, which distributes the malware to their device.
Microsoft threat analysts on Twitter described observing “hands-on-keyboard activity” from the attack, meaning the campaign was being carried out by actual hackers instead of just an automated malware.
In this instance, Microsoft’s Security Intelligence team tweeted that the hackers were using Cobalt Strike to steal credentials and data from users. Cobalt Strike can be difficult to detect because it uses malleable C2—cybersecurity lingo for command and control servers—which allows it to disguise its traffic as legitimate services such as Gmail or Amazon.
Microsoft’s Security Intelligence team has since shared software that can detect this kind of threat, even in emails.
When reached for comment, Microsoft directed Motherboard at the tweets published by its analysts.