Luna Moth Gang  Targets Businesses with Callback Phishing Campaigns 
Reading Time: 2 minutes

Luna Moth gang now targets businesses with callback phishing campaigns by investing in Call Centers. The hacking is group is known to have extorted hundreds of thousands of dollars from several victims in the legal and retail sectors.

These new attacks can be recognized by a technique called callback phishing, which is when the victims are manipulated into making phone calls through emails that have been disguised to look like invoices and subscription-themed lures.

Palo Alto Networks Unit 42 reports that these attacks are the product of a single, highly organized campaign. This threat actor has invested in call centers and infrastructure specific to each victim, unlike many others who reuse their tactics.

The cybersecurity firm said the campaign has been going on for “the past many months” and noted that it’s changing to keep up with new defenses.

What makes callback phishing noteworthy is that there are no malicious attachments or links to click. Instead, the messages are completely innocent and devoid of any digital traps. This means they can bypass email protection and evade detection by slipping past most spam filters.

These messages typically come with an invoice that includes a phone number the victim can call to cancel the supposed subscription. However, these victims are routed to a fake call center and connected with a live agent on the other end who ends up installing crypto-jacking software for persistence.

According to Unit 42 researcher Kristopher Russo, an attacker will then search for valuable information on the victim’s computer or connected file shares, and steal it to a server they control using a file transfer tool.Luna Moth Gang  Targets Businesses with Callback Phishing Campaigns_1A campaign may be resource intensive, but it would also likely have a much higher success rate than other phishing attacks.

In addition to this, the lack of encryption means that any malicious perpetrator can steal sensitive data without the need of deploying Ransomware to lock the files after they are exfiltrated.

A well-known cybercrime group called Silent Ransom is the prime suspect behind last year’s BazarCall scams. AdvIntel believes that this group is responsible for orchestrating these frauds.

One way that an attack can be disguised as legitimate is by using a tool like Zoho Assist to remotely interact with a victim’s computer. Using their access, the attacker could then deploy another piece of trusted software like Rclone or WinSCP for harvesting data.

Extortionists may demand anything from two to 78 Bitcoins, with the cost depending on the organization targeted. Regardless, the threat actor creates a unique bitcoin wallet for each payment received. It’s also reported that these extortionists offer discounts of nearly 25%, but there are no guarantees that they’ll actually delete the data.

Russo further added this threat actor has taken great pains to avoid detection. They minimize the chance of being found by using only malware that is necessary and avoiding superfluous tools. Focusing on employee cybersecurity awareness training will go a long way in defending your employees.

Related Articles:
Rarible NFT Marketplace Vulnerability Can Lead to Crypto Wallet Hacking
Hamas-linked Hacking Group Catfish High Ranking Israeli Officials
Axie Developer Raises $150 Million after losing nearly $625 million in a hacking incident