On call scam: What was behind a supposed package delivery

A Swiss company was recently affected by a cyber attack. Specialists have since evaluated the infected computer. The analyzed information reveals a complex new attack tactic that combines credible phone and email communications to take control of corporate networks and siphon off data. The malware itself was delivered in an extremely unusual way: a caller convinced the attack target to open an email message that contained no text, but was designed as a graphic to resemble an Outlook email message. This triggered the download of a linked malicious Electron app.

"I would like to make a delivery to your location."

The caller told the employee he was a delivery driver with an urgent package for one of the company's locations, but no one was there to receive the package. He asked for a new delivery address at the employee's location. In order to redeliver the package, the employee would have to read him a code that the shipping company would send via email. While the caller was still talking to the employee on the phone, the employee received the announced email message. The e-mail message said that a PDF file attached to the message contained the required code.

This email, written in perfect French, triggered the subsequent chain of attacks. In fact, the entire message was a fake that only looked like an email with a PDF attachment. Both the "attachment" and the text message were actually just static images embedded in the message body. Guided by the scammer on the phone, the employee clicked on the image, which led to the download of the malware.

You knew: Man(n) speaks German

Although the email message was written in French, as mentioned, technical evidence suggests that the attackers already knew that the Swiss target might be German-speaking. Sophos analysts were also able to understand that the attackers may have personally targeted the call recipient and created an elaborate social engineering attack chain. This resulted in the cybercriminals briefly taking control of the employee's computer before he literally pulled the (Ethernet) plug from the compromised computer. The alert man sensed that something was wrong and disconnected the infected computer from the network. Unfortunately, however, not in time before the malicious payload was active.

"This attack was extremely targeted. There was only one person in the office that Friday, and the attackers probably knew that person's identity. The use of an image masquerading as an email is also something we haven't seen before. However, it is clever. Attaching an actual PDF often sets off alarms on systems because they are often used to spread malware, and emails containing PDFs often end up in spam filters," said Andrew Brandt, principal researcher at Sophos.

After infiltrating the network, the criminals used malware to search for a variety of information, including accounting software data, cookies, browsing history, as well as passwords and cryptocurrency wallets. To hide their data exfiltration, the attackers connected the system to Tor (the dark web). The employee who finally smelled a rat and pulled the plug prevented worse consequences for his company.

Skillfully "scammed" and it already goes on

"This type of highly sophisticated attack shows the lengths cybercriminals will go to circumvent defensive tools and gain people's trust. Phishing attacks are extremely effective, and we've seen attackers evolve their social engineering tactics with new technology. Although attackers are more likely to use email these days, that doesn't mean phone calls are outdated. We train employees a lot on email security, but we don't necessarily teach them how to handle unusual phone calls. In this case, the employee reacted quickly and had the presence of mind," Brandt said.

Following the attack on the Swiss company, Sophos X-Ops discovered another attack with the same approach against a company in Australia. Whatever group is behind these attacks is likely still active, and Sophos will monitor the situation.

Source and further information: Sophos