Kaspersky Lab experts report that attackers are increasingly imitating problems with Windows and tricking Russian-speaking users into calling them back. Then, during a telephone conversation, they convince the victims to transfer money or give away sensitive data.
Researchers write that in September they recorded more than 40,500 attempts by Russian users to switch to phishing resources exploiting the theme of Microsoft products. So, on some sites, users were offered to download the Windows 10 or Windows 11 operating system. On others, the attackers tried to lure out account login details (email address and password) in Microsoft services, including Outlook. If a person entered this data on a fake resource, they got to the attackers.
At the same time, attackers are increasingly using vishing – voice phishing, that is, they are trying to induce a person to call them at the specified number. If the victim is hooked and calls back, they begin to “process” her. Typically, scammers try to lure out confidential data, or try to convince them to transfer money to the specified details or install potentially dangerous software.
Experts describe one of the fraudulent schemes as follows: a person visits a dubious resource or is redirected there from a spam email. After that, a banner appeared on the screen with the message: “Windows has been blocked due to suspicious activity.” Allegedly, a threat — a spyware Trojan — was detected on the user’s device.
In the same message, a person is asked to immediately contact technical support at the phone number listed on the site in order to avoid a “complete computer failure”. In fact, attackers simply show the victim a banner in full screen mode. So they try to convince the person that his computer is really blocked.
Interestingly, according to a recent report from Trellix, such fraud is actively evolving, and during such vishig attacks, victims’ machines often infect the bootloader om that distributes additional payloads, including remote access Trojans, spyware, and ransomware.
Trellix experts talk about another tactic popular with scammers, when the victim is not frightened by scary banners, but they send him letters informing him about expensive subscriptions that the user has never signed up for. The letter contains a phone number where the recipient can find out more about this “subscription” and cancel it.
These fake accounts are spoofed as Geek Squad, Norton, McAfee, PayPal or Microsoft. However, when the victim calls the scammers, they are told that the email they received was spam. The fake support worker then warns the victim that spam may have infected the computer with malware and redirects the user to a “techie”.
After that, another scammer calls back the victim, ostensibly to help cope with the infection. It directs the user to a site where they download malware masquerading as antivirus software.
Most often in such cases, the user’s machine is penetrated by BazarLoader, remote access Trojans, Cobalt Strike beacons or other remote access tools, depending on who is behind the particular malicious campaign.