As organizations become more sophisticated in the realm of cybersecurity, it’s always important to go back to the basics. If there is an incident severe enough, established security companies are not emailing random users telling them the IT department has been notified, they are making a call to the call tree for the organization. Take the recent CrowdStrike callback phishing campaign, for example:
On July 8, 2022, the reputable cybersecurity firm, CrowdStrike, reported that the company is being impersonated in a callback phishing campaign.
CrowdStrike reports that threat actors may also be posing as other prominent cybersecurity firms–with the same methods used due to their high likelihood of success in conning targeted entities.
This attack profile explicitly exploits the trust reposed in these reputable cybersecurity firms by their customers.
Neither surprisingly nor coincidentally, another cybersecurity firm, the NCC Group, subsequently alerted customers that it was also being impersonated by threat actors. In this case, the perpetrators are sending phishing emails to customers implying they have been breached, or are at risk of being breached, by a cyber-attack.
A callback phishing campaign is “a social engineering tactic that strongly encourages the recipient of the fake, although seemingly credible email, to call a number noted in the message. If the targeted individual calls the phone number, a ‘customer service’ representative will most likely direct the victim to a malicious website and provide instructions that results in unknowingly downloading malicious software–under the guise of troubleshooting a potential cybersecurity breach.”
In the example provided of the tactics used, the email misappropriates the CrowdStrike logo and physical address to create the false appearance, and impression, of legitimate official correspondence from the cybersecurity firm. Through this email, the malicious threat actors assert that CrowdStrike is the targeted company’s outsourced cybersecurity service vendor–a statement that, by itself, may be accurate. The correspondence then makes a series of false assertions:
CrowdStrike identified abnormal activity either at or related to the segment of the network that includes the targeted victim’s workstation;
The victimized company’s internal information security team has already been notified directly–with contact information provided for a perpetrator. This step is likely intended to dissuade the recipient of the false email from contacting the organization’s Information Technology (IT) department or office to confirm the purported report and whether action is initiated;
Due to the risk of loss of critical data, the company may be in violation of federal privacy statutes or regulations–with specific reference to the Consumer Privacy Act of 2018;
The alleged agreement between the targeted company and impersonated cybersecurity firm (such as CrowdStrike) obligates the latter to conduct the cybersecurity audit(s) sought, implying that the victimized company’s employees are cooperating –or will do so.
Provides the recipient with a phone number to call to initiate the audit process–which actually reaches one of the perpetrators.
This specific attack profile is the first known callback campaign impersonating cybersecurity entities specifically. Impersonation of distinguished cybersecurity firms is likely to increase success rates of cyber-criminals and network compromises because of the cybersecurity firms highly reputable status and because there’s so much trust associated with them.
It’s important to adhere to recommended measures in the guidance provided by the Cybersecurity and Infrastructure Agency (CISA) at its SHEILDS UP public website. Additionally, security professionals and organization everywhere must implement cybersecurity awareness training programs, initiatives and policies that details the procedures and methods by which employees will be contacted in the event of a significant cybersecurity incident.