Stay Safe Online

BazaLoader: A malware campaign tricks victims into calling crooks

Microsoft is warning users to watch out for a trending malware campaign where criminals are contacting victims via email and asking them to call them back on a phone number else face a forthcoming charge.

When it comes to keeping your computer clear of nasty malware, we’re usually offering our readers the usual advice. Don’t click on links in emails and text messages. Don’t trust pop-ups from websites asking you to download files. And definitely don’t be opening up email attachments from emails you weren’t expecting.

There is another piece of [perhaps slightly less iterated] advice. If an unexpected email or text arrives and it includes a phone number and asks you to call it… don’t. Or at least not until you’ve done some digging to see if it’s a genuine correspondence or a scammer knocking at your door.

You see, if it’s a scam, there’s a good chance that when you do call back, you’ll be calling up a scam call centre located somewhere abroad. And they’ll be looking to trick you into installing malware.


Sponsored Content. Continued below...




That essentially sums up the latest warning from Microsoft who last week warned readers of a recent malware campaign. The campaign involves crooks sending out emails to victims asking them to call a particular phone number. The crooks employ the bog-standard and typical social engineering tricks to lure victims into doing just that. For example, the emails may claim the recipient is about to be billed for a premium subscription or a product, or they have already been billed. And the emails go on to claim the recipient must call the phone number provided in order to cancel it.

And that’s when the human scammers take over. Victims are directed to call centres, usually located in India. (The phone number may look like its local – but that doesn’t mean it is!) The scammers claim the victim needs to visit a website and download a document in order to process the cancellation. Or refund. Or whatever trick the scammers used to bait the victim into calling them in the first place.

That document could be, for example, a Word document or an Excel document. The scammer then tells the victim to ignore or disable security warnings when opening the document they just downloaded. Those warnings will be about “enabling content”, which is a tried-and-tested way of infecting devices with malware by using little pieces of code called Macros, which Microsoft documents can download from the Internet but which is a feature turned off by default for security reasons.

An example of an email (text only) is below.

Shipping Confirmation
Item no. GHBJ/564/835467G
Thank you for shopping with AMAZ0N. Your Order LG 10.5 Kg / 7.0 Kg Inverter Wi-Fi Washer Dryer.
Billing Address:-
7 Meserve Ln
Kennebunkport
Me 04046
Note: If you didn’t order this item Call us immediately on +1 [855] 798_3354
Brand LG
Colour Black VCM
Special Feature Inverter, In built heater, Wi-fi
Item Dimensions LxWxH 60 x 55 x 85 Centimeters
Your order for LG Washer Dryer is confirmed and the amount has been debited from your linked account.
Order Summary:
Date August 05, 2021
Payment mode Auto Debit
Price $ 1645.39
Item Quantity 1
If you want to cancel or want refund call us on +1 [855] 798_3354
Thanks & Regars
The Amazon Team +1 [855] 798_3354

The above email claims the recipient ordered an LG Washer Dryer from Amazon. However other examples have claimed the recipient has ordered an antivirus subscription, Inspiron or Lenovo laptop, JBL sound system and Samsung TV. Countless other variants will also be in circulation.


Sponsored Content. Continued below...




And when the victim downloads the document, disables the security prompts as per the instructions on the other end of the phone, the BazaLoader malware infects the device. This is backdoor malware that gives the crooks access to and control of the device. And from there the crooks can steal data, install spyware or, as per Microsoft, install ransomware.


How the BazaLoader attack operates from start to finish.

While using call centres and humans to scam victims is perhaps less common than malicious websites or email attachments, this isn’t a new technique. The ubiquitous technical support scams often use call centres to scam victims in this manner.

Avoiding this scam…

– Phone numbers in unexpected emails (or texts) should be treated the same way as links. Assume they’re scams.

– Never download anything because a stranger over the phone tells you to, much less lure you into disabling or ignoring security warnings from your computer.

– Never assume an email is genuine, especially if its asking you to download files, open web links or call phone numbers. This is especially true if the email claims you’ve been enrolled into a subscription or about to be billed for something by a company you’ve never heard of.

Share
Published by
Craig Haley