Palo Alto’s Unit 42 recently issued a threat assessment alert outlining a new phishing scam that is unique and successful. The scam is believed to be carried out by the Luna Moth/Silent Ransom Group and is targeting businesses in the legal and retail sectors. Unit 42 predicts that the scam is “expanding in scope.”

According to the alert, the scam uses “legitimate trusted technology tools to carry out attacks….This threat actor has significantly invested in call centers and infrastructure that’s unique to each victim.” Education of users is critical to prevent the campaign from being successful.

The scam uses callback phishing, which is a social engineering attack that involves direct contact between the threat actor and the user. The scam starts with a phishing email to the user’s corporate email account attaching an invoice for less than $1,000 and advising the user that the user’s credit card has been charged for a service. The email is personalized to the user, does not contain any malicious code or malware and is sent using a legitimate email service, with the invoice attached as a pdf. None of this appears suspicious to the user.

The invoice includes a unique ID and telephone number with a few extra characters that are not noticeable, and when the user calls the number (which many users are told to do if something looks suspicious), the user is “routed to a threat actor-controlled call center and connected to a live agent.” The threat actor assists the user with canceling the subscription and requests that the user download and run a remote tool for the threat actor to have remote access to the user’s computer. The threat actor then downloads and installs a remote administration tool that provides access to the user’s computer to look for files to exfiltrate. Following exfiltration, the threat actor sends an extortion email to the victim requesting payment or the files will be released.

If the victim refuses to pay, the “attackers will threaten to contact victims’ customers and clients identified through the stolen data, to increase the pressure to comply.”

Threat actors are bobbing and weaving as users become more educated on their schemes and figure out new ways to infiltrate corporate systems and exfiltrate data. Keeping your users up to date on these schemes, and instilling a heavy dose of skepticism and caution in them is one way to combat these schemes. According to Unit 42, “if people targeted by these types of attacks reported these invoices to their organization’s purchasing department, the organization might be better able to spot the attack, particularly if a number of individuals report similar messages.” Protection of corporate data is a team sport. Be an active member of the team and report any suspicious messages to your IT professionals, block and tackle and look at every email with a healthy and heavy dose of suspicion.