Hackers Turn to Phone to Infect Pc with Malware — What You Need To Know

Hackers Turn to Phone to Infect Pc with Malware — What You Need To Know

The latest method of infecting computers is surprisingly old-fashioned: it uses the telephone.

Online researchers have documented a new malware campaign dubbed "BazarCall." One of the main "payloads" of this malware is the BazarLoader remote access Trojan, which can be used to give hackers full control of a PC and install further malware.

The attack begins with an email informing you that the free trial of the medical service you supposedly signed up for will soon end and that your credit card will be charged $90 per month or some other ridiculous fee in a few days.

According to The Record and Bleeping Computer, the subject lines include "Thank you for your free trial" and "Would you like to extend your free period?"

A security researcher who calls himself "Execute Malware" has written to BazarCall's A list of possible subject lines can be found here.

Naturally, you wonder what the heck this email is about, but you certainly don't want to pay for something you don't agree with. Fortunately, the message includes a phone number to call to cancel your subscription and a subscriber ID number to which you can refer.

You hesitate. You've heard or seen phishing emails that direct you to a site that asks you for your password or tries to install something on your computer if you let them click on a link.

But this email has no link. It seems safe. Also, what harm can be done by calling the phone number?

So I call the number. You are put on hold. You wait a few minutes. Then a friendly call center operator (he or she sounds suspiciously like someone who is part of a tech support scam) comes on the phone and listens to your questions about the e-mail.

The operator asks for the subscriber ID listed in the e-mail.

Here's the important part. The subscriber ID is very important because it allows the scammer to know who you are.

"They can identify the company you received that e-mail from when you gave them a valid customer [ID] number over the phone," Binary Defense security expert Randy Pargman told Bleeping Computer. "But if you give them the wrong number, they just say they canceled your order and it's all good without sending you to a website."[20

Below is a YouTube video explaining the entire process. The interaction with the call center operator begins at approximately 2:45 minutes.

Anyway, the customer service rep puts you on hold for a bit to verify your subscriber ID, then comes back to tell you who signed up for this subscription and provided a credit card. There must be some mistake.

The friendly customer support representative tells you that since this is about medical services, you need to fill out some forms online to cancel your subscription. He sends you to a professional-looking website where you can continue the cancellation process.

There are at least five possible websites, also listed here. All of the ones we looked at looked the same, but someone went to great lengths to make each site look decent. The websites include FAQs, privacy statements, terms of use, and even contact information, including the address of their Los Angeles office tower and a phone number in Southern California.

We called several of the listed phone numbers, but were unable to reach them. We also found that all five websites we visited had domains registered last week with the same alias and the same Russian e-mail address.

When we returned to the customer support call, the representative directed us to the site's registration page, where we clicked on "unsubscribe." However, the unsubscribe box does not ask for my name or email address. Instead, they ask again for the subscription ID number that was listed in the initial notification email they received.

After clicking Submit on the Unsubscribe dialog box, the browser asks for permission to download a Microsoft Excel spreadsheet or Word document. The customer support representative says that in order to cancel your subscription, you must download and open this document and digitally "sign" it.

Now, because Microsoft Office files downloaded from the Internet are so dangerous, Windows itself "sandboxes" them so that macros (small mini-programs) cannot be run without permission.

However, the customer support representative you are dealing with on the phone insists that you click on the yellow bar that appears at the top of this Excel or Word file to enable the macro so that you can "sign" the document.

And that is the kiss of death. As soon as the macro is enabled, the Office file installs malware called a "dropper."

In this case, the malware could be the aforementioned BazarLoader or the even scarier TrickBot. Once these malware is running on your machine, the bad guys behind it can install coin miners, botnet software, or even ransomware on your device.

If your machine is part of a corporate network, the malware can quickly spread throughout the enterprise.

But you are unaware of this. All you know is that you are filling out a form to cancel an unwanted and quite expensive subscription. When you finish filling out the form, the call center operator tells you that your cancellation was successful.

How can you avoid becoming a victim of this scam? First, make sure you have the best anti-virus software installed on your machine. Second, be very careful of tactics such as downloading Office files and enabling macros. This is often a recipe for disaster.

.

Categories