Fake Call Center Tricks Users Into Installing Ransomware

Posted by Norma Stratton on

Safe Harbor Cybersecurity & IT Solutions Simplified OWN IT. SECURE IT. PROTECT IT


It has to be admitted, unfortunately, that scammers are quite good at their job. This is why new defenses are constantly being put in place as the scammers find new and improved ways to victimize individuals and businesses.

 Potential victims are becoming increasingly aware of steps they need to take to protect themselves. For example, many, if not most, understand the dangers of opening links in strange emails and will simply delete them on sight. What they may be less wary of are emails directing them to call and speak directly to what they are told is a company representative.

 This type of cybercrime actually tricks the victim into harming themselves, resulting in them downloading malware that can infect their system with ransomware and perform data exfiltration.



Safe Harbor Cybersecurity & IT Solutions Simplified OWN IT. SECURE IT. PROTECT IT


Known as “BazaCall”, this type of attack relies on a method similar to phishing in which the target will receive an email message that informs them of upcoming changes to a subscription that will take place unless they call a provided phone number.

When the target calls the number, they are connected to an actual human operator at the fake call center who will then provide them with instructions to download the BazaLoader malware, which is a C++ downloader that is capable of installing malicious programs on the infected computer. This might include ransomware or other malware and allows for the theft of sensitive data from the compromised system.

BazaLoader campaigns were first spotted in 2020 but have now been used by several threat actors and will often be used to load malware such as Ryuk and Conti ransomware. A report published by the Microsoft 365 Defender Threat Intelligence Team noted that “attacks emanating from the BazaCall threat could move quickly within a network, conduct extensive data exfiltration and credential theft, and distribute ransomware within 48 hours of the initial compromise


Safe Harbor Cybersecurity & IT Solutions Simplified OWN IT. SECURE IT. PROTECT IT


This approach by attackers allows them to slip past phishing and malware detection software, as there is no link or document sent in the body of the email message. There is a growing trend among criminals to employ BazaLoader in an intricate attack chain, using call centres that seem to be staffed by non-native English speakers.

Back in May, Proofpoint and Palo Alto Networks revealed how an Excel spreadsheet carrying the BazaLoader software was part of an intricate infection mechanism that made use of websites for phony ebooks (World Books) and subscription services for streaming movies (BravoMovies). Microsoft has also revealed the newest attack method, in which the call centre agent directs the caller to a recipe website to cancel a trial subscription. This subscription, of course, never existed in the first place.

By using human call centre agents in the BazaCall attack chain, this threat becomes more dangerous and harder to block than traditional automated malware attacks, highlighting the need for a more comprehensive defence against increasingly complex threats.

Don’t get tricked into installing ransomware. Contact Safe Harbour today!

 Safe Harbor Cybersecurity & IT Solutions Simplified OWN IT. SECURE IT. PROTECT IT