Our Security Operation Centers, on November 27, 2023, observed a high volume of callback phishing emails in our participants environments. These emails contained a fraudulent Geek Squad invoice and originated from the same remote server.
The FBI Cyber Division released notice on November 7, 2023, in a Cyber Bulletin, advising of this trend.
Callback phishing emails attempt to trick recipients into calling a phone number provided in the email, where scammers pose as customer service representatives and try to obtain sensitive information such as credit card details or login credentials. They do this under the guise of resolving service renewal confusion. In general, the email body is either blank or contains an attached picture of a fake invoice from services such as Geek Squad, PayPal, Norton, among others.
The emails we received in our SOC, in particular were sent the following randomly generated email addresses registered with top level domains (TLDs) from Saudi Arabia, Poland, and Ukraine:
Although all three email addresses seem to be randomly generated, they were all sent from the same remote server in Ireland and IP address block (188.8.131.52/16).
The following is a screenshot of the email body and attached fraudulent invoice. Here are two examples.
The first example:
The second example:
Callback phishing scams are becoming more and more popular because they are harder for anti-phishing content filters to block. With traditional phishing attacks, the anti-phishing content filters can review the sent text and open the URL locations to see if they contain malicious content or code. There are content and objects that can be examined to determine whether or not the email is malicious.
With callback phishing, the entire message is one big picture. Many anti-phishing content filters cannot “read” the text on the picture. The best they can do is look at the name or hash of the picture file, both of which can easily be made unique and individual for each potential victim.
Your team members should be wary of emails that arrive unexpectedly, ask them to perform unfamiliar actions, contain only a picture file, or repeatedly display a phone number without any clickable links.
Your first line of defense is Security Awareness Training for your employees. Educating your team members so they know about callback phishing.
Teach your team members about messages that have these two traits:
Messages arrived that you were not expecting.
It is asking you to do something you have never been asked to do before from this sender.
Encourage your team members to practice these steps when receiving emails:
Review the email sender's information for accuracy from the proposed company.
Ask themselves about the action items and are they legitimate actions.
Request input or report to your IT team if questionable.
1. Ransomware Actors Continue To Gain Access through Third Parties. (2023, November 7). Ic3.gov. https://www.ic3.gov/Media/News/2023/231108.pdf
How can CyberForce|Q services help you address this risk?
Incident Response is a time-based situation and CyberForce|Q can assist with a potential incident in your environment. Our experienced Incident Response Team can be deployed 24x7x365 – reach out to email@example.com.
Learn more about CyberForce|Q.