On this episode of CyberSound, Jason chats about the latest threat actor tactics making the rounds with Randy Pargman, vice president of threat hunting and counterintelligence services at Binary Defense, and Matt Fusaro, senior security engineer with Vancord.
Phishing Redux — Can we trust anything?
Listen to this episode on
[00:00:11.050] – Jason Pufahl
Welcome to CyberSound. I’m your host, Jason Pufahl. And today. I’m joined by Matt Fusaro, the senior security engineer with Vancord. Hi, Matt.
[00:00:19.510] – Matthew Fusaro
Nice to be here. Thank you.
[00:00:20.950] – Jason Pufahl
And Randy Pargman, the vice president of threat hunting and counterintelligence services at Binary Defense.
[00:00:26.650] – Randy Pargman
Hi. Thanks for having me on.
[00:00:28.210] – Jason Pufahl
Yeah. It’s a pleasure to have you. So we work together pretty closely, Binary Defense and Vancord, and we were having a conversation recently around common malware delivery methods and phishing and all the social engineering exploits that we talk about. We just recently did a podcast here where we talked about, what I’ll say is the more traditional phishing exploits and phishing tactics that attackers use.
[00:00:58.150] – Jason Pufahl
When we chat with you about it, you had a pretty clear story and a set of new tactics that, in a way, really run counter to all the things that we see that are really common in traditional malware delivery techniques. So I really want to spend some time on that today. I know you have thoughts there, and you’re seeing a specific exploit that seems to be getting a lot of success that I’d like you to touch on.
[00:01:21.610] – Randy Pargman
Yeah. Absolutely. Well, as you know, threat actors are very creative people, and every time we get better as defenders at putting blocks in their way, at scanning email, or scanning network traffic a little bit better, they go to work trying to figure out a way to get around that.
[00:01:38.890] – Randy Pargman
And as many people have been educated every Cybersecurity Awareness Month or whenever, they get a refresher on their cybersecurity. You know that when you receive a suspicious email that you need to look for links in that email or an attachment to that email? That’s what you need to watch out for. That’s the common advice that we’ve all been given and that’s still very true. That’s very applicable and it’s something that everybody needs to be aware of.
[00:02:08.110] – Randy Pargman
However, just this year starting in January, we started seeing threat actors doing something a little bit different, specifically to get around that awareness that people already have. They would send an email but it wouldn’t have any links, and it wouldn’t have any attachments to it. That is the scheme that I’d like to talk about.
[00:02:34.450] – Jason Pufahl
For folks who might want to learn more about this as they listen, is there a specific attack variant or attack name that you want to refer to?
[00:02:43.090] – Randy Pargman
Well, the researchers who started looking at this and publicly posting about it called it Bazarcall. B-A-Z-A-R-C-A-L-L. Because that was the primary payload that was being delivered by–it was the Bazar Loader. That’s also a sort of strange name and it comes from the top-level domain names of the infrastructure that the threat actors use using Emercoin DNS.
[00:03:12.490] – Randy Pargman
But the real point of this that is the most interesting is not the name of the malware that’s delivered. It’s really the method that’s being used. The “call” in Bazarcall comes from the fact that the threat actors try to convince people who receive the email to pick up the phone and call them.
[00:03:32.590] – Randy Pargman
That is unusual. Usually, any threat on the phone comes from somebody calling you and you can recognize that it’s not a number you’re aware of. It’s not something that you expect to get a call from maybe you can ignore that.
[00:03:47.350] – Randy Pargman
But when you receive an email that tells you that an order has been placed for something and that you’re going to be on the hook for paying the bill–maybe a subscription is being renewed or some item like a concert ticket has been purchased–and your name is attached to it, and then it gives you a telephone number to call customer service. A lot of people are tempted to actually pick up the phone and call because they want to resolve whatever issue has happened that’s gotten their name involved with this.
[00:04:18.370] – Matthew Fusaro
So they think that they’re actually taking an active role in protecting themselves when really they’re engaging with an attacker.
[00:04:24.430] – Jason Pufahl
Which is exactly what we ask them to do all the time–take matters in your own hand and go on the offensive. Make that phone call.
[00:04:32.590] – Randy Pargman
Yeah. Exactly, and that is part of a social engineering technique because when somebody calls you, you’re automatically suspicious. But if you’re picking up the phone and dialing a number, you might have a little bit of suspicion, but you still think that you’re in charge. You’re in control of this call because you placed it.
[00:04:49.030] – Matthew Fusaro
I’d have to imagine that the success rate per campaign that they do is probably lower with us. Are you seeing that, or is it kind of the same as all the other phishing campaigns that you see out there as far as participation from the user?
[00:05:05.650] – Randy Pargman
So it’s hard to get really good numbers. But it seems that based on just talking to people and comparing notes with a lot of other researchers, it’s pretty common for at least several hundred people a day to call in to the phone number because the threat actor has their operator staff with at least a few dozen people, just based on having made a lot of different calls and talking to different people keeping notes about who answered the phone on different days. We can see that it’s a fairly large-scale operation.
[00:05:45.590] – Jason Pufahl
Again, though, it’s a good demonstration of how organized these threat actors are. Right? They’re sending out emails, they’re thinking about what might work, but then they’re actually creating a call center. So there’s got to be a significant ROI in this if they’re going to pay people to create the scripts and man the call centers and walk through whatever activities they undergo.
[00:06:10.610] – Randy Pargman
Yeah. I think that’s been pretty obvious to everybody who’s been studying the threat that it hasn’t just gone away. It hasn’t dried up. It actually increased in volume, and started out, like I said, in January of this year. But it really peaked in the summer months and just kept ongoing. So it couldn’t be sustained if it weren’t working.
[00:06:35.030] – Matthew Fusaro
Are they targeting any particular industry? Any type of customer profile?
[00:06:40.670] – Randy Pargman
We’ve looked and seen threats across lots of different industries, from education to manufacturing, finance, and high technology companies. There’s also been email campaigns that have targeted individual people through their Gmail or Yahoo, or whatever. So it seems that they’re taking the usual scattershot approach of just throwing it out to as many different email addresses as they possibly can, and then see who’s going to pick up the phone and call them.
[00:07:14.450] – Jason Pufahl
So let’s keep playing out the scenario. So you receive an email. You’re concerned enough that something legitimate happened that you actually make that phone call. What’s that experience look like from there then?
[00:07:26.690] – Randy Pargman
So over the months, I’ve made many dozens of phone calls to these people and so I’ve experienced a lot of different variations on this theme. But I can summarize it: That the person on the other end of the phone is going to ask for some kind of a unique order number that is in the email.
[00:07:44.570] – Randy Pargman
They’ll wait for you–the caller–to initiate the conversation and say what you’re calling about. Then, they’ll act like they’re really concerned that whatever issue that you’re having, they want to resolve it. They want to make sure that you don’t get charged for anything that you didn’t order, and so they’ll ask you for the order number.
[00:08:01.850] – Randy Pargman
As soon as you give them the order number from the email, they type that into a system and then they get information about that email that was sent to you. So they know what email address it was sent to. Sometimes, they know your first and last name. I know this because they read that information back to me on the phone.
[00:08:19.610] – Randy Pargman
That kind of makes it seem more legitimate because they’ve got your name, this order number connects to something. It seems like it’s not just a scam; it’s some sort of a system that they’re typing into. So they’ll go through their system and they’ll tell you that somebody named “John Edwards” has placed this order but used your name.
[00:08:41.630] – Randy Pargman
That story doesn’t really make a lot of sense. But for some reason, it’s convincing enough that they kept using it month after month after month, which was really interesting to me. Sometimes they’d even give an address for John Edwards in California.
[00:08:57.270] – Randy Pargman
Once they’ve convinced you that there is some kind of an order… Are we having trouble with the audio?
[00:09:02.910] – Jason Pufahl
No, we’re good.
[00:09:04.710] – Randy Pargman
Okay. Sorry. All right. Let’s start that one over.
So I’ve made dozens of these phone calls over the last several months, and I’ve experienced lots of different variations on this theme that I can summarize it. So when you first place the call, the call operator on the other end will listen to you and take your complaint that you’ve received this email about an order that you didn’t place.
[00:09:30.910] – Randy Pargman
Then they’re going to ask you for an order number that is in the email. Once you give them the order number, they’ll type that into a system and they’ll read back to you your name and your email address and make it seem a little bit more legitimate. They’ve got a fake story that they stick to about somebody named John Edwards having placed this order but using your name and your credit card number to pay for it.
[00:09:53.170] – Randy Pargman
And then they’ll ask you if you intended to place this order or if you’d like to cancel it. Of course, at this point, you’re going to say you’d like to cancel it. But I’ve messed with the call operators and told them I was actually really excited about their products and I wanted to order more. And they were completely taken aback. They didn’t know how to handle that.
[00:10:11.230] – Randy Pargman
So, once you tell them that you’d like to cancel your order, they’ll have you go to a website and they’ll read out the domain name of the website. It’s usually something pretty simple so that you can type it in. And when you go there, the website actually looks really professional. I mean, whoever designed this probably had some kind of a background in marketing because they put together beautiful images and really nice, responsive web pages that have animated menus. They seem to be fully fleshed out, like, you can click on all the different links and you can explore the website all you like, and it looks pretty good.
[00:10:46.030] – Matthew Fusaro
I’ve seen a couple of them. They actually do a really good job of making it look very legitimate.
[00:10:51.130] – Randy Pargman
They do. Then they will tell you that you need to go to a certain place on the website that usually involves a couple of different clicks to get to a place where you can cancel your order. To cancel your order, they’ll have you put in your order number again and your email address that’s to help them stop researchers and antivirus companies from going in and just retrieving the payloads themselves. You actually have to be on the phone with somebody and you have to have an order number and an email address that match up.
[00:11:22.210] – Randy Pargman
If you do that, then you are directed to download an Excel spreadsheet. And, that’s where anybody who’s been caught up to this point should really have the red flags start going off. The fact that somebody would ask you to download an Excel spreadsheet as part of a process to cancel an order…if you think about it, just doesn’t make a lot of sense.
[00:11:45.250] – Randy Pargman
But at this point, because you’ve been socially engineered and you believe in this story and the website looks convincing and the person on the other end of the phone seems really helpful and friendly. It seems like it wouldn’t be a big deal just to open it up.
[00:11:57.350] – Randy Pargman
But that’s the trick. If you open up the Excel spreadsheet, it has malicious macros in it. That infects your computer and that gives the threat actors a back door to start exploring your computer. And if you’re connected to a corporate network, they can spread throughout the rest of your corporate network and deploy ran somewhere, which is their ultimate goal.
[00:12:18.670] – Matthew Fusaro
Yeah, I’d say most of the security awareness training that’s out there now… Well, like you said Randy, that’s the marker. You’re downloading Excel spreadsheets. They also usually ask you to enable macros. You’re not supposed to do that, but they’ve got you in a position where you trust this person on the other end of the phone. You’re scared because your credit card’s out there, you want to make sure that you’re not getting charged for things that you didn’t want to pay for. So it’s a tough situation for the user.
[00:12:46.750] – Randy Pargman
Yeah, it absolutely is. That is the point of all this. That’s why they went to all this trouble to put together a call center, to put together these really realistic-looking websites. All of that takes a lot of work, and clearly, that work is paying off in the rewards for doing the social engineering. They’re getting more people to click on it. They’re getting more people to open it up.
[00:13:08.470] – Matthew Fusaro
And what’s the goal here really? Is this just another step to get to ransomware? Is this group offering their services out to other malware groups or ransomware groups?
[00:13:23.950] – Randy Pargman
It’s hard to tell on the back end how many different groups are involved. Usually, in cybercrime, there’s a number of different criminal groups. There’s one that’s trying to get the initial exploitation and get a foothold onto that network. And then there’s usually others that follow up with ransomware or something else.
[00:13:42.370] – Randy Pargman
What we do know is that whether it’s one group or a few, this scheme ultimately leads to ransomware. They’re going after businesses. They’re trying to get into any sort of business that they can. They’re trying to get access to as many computers and servers as they can and then deploy the ransomware.
[00:14:01.270] – Jason Pufahl
Just another example, though, where it’s not an ad-hoc activity. It’s coordinated, it’s intentional, and staged. They’ve got multiple threat actors potentially involved in these, which we see all the time. I think too often there’s that idea that these are just somebody who has an interest in trying to attack a company or an individual. That’s just not the reality anymore.
[00:14:23.050] – Jason Pufahl
Randy, in your opinion, is there anything different that we as say, security practitioners, need to do to train users? Because a lot of times it starts with: Take a look at the sending address of an email or take a look at the URL that they’re asking you to click on. They’re not present here. It’s a legitimate email and they’re just simply saying call this phone number to get some assistance resolving the issue.
[00:14:49.570] – Jason Pufahl
It really does flip the script for folks and a lot of the things that we teach them short of don’t download that Excel document after now you’re 75 percent way through this process. It’s really challenging.
[00:15:02.170] – Randy Pargman
Yeah. I think that this really highlights the need for defenders to be aware of this type of activity. When you are educating users about the different scams that they might face, include this in the training, but know that the threat actors are going to extreme lengths to try to get around all of that awareness and get people on the hook, so to speak, so that they’ll download this anyway.
[00:15:30.250] – Randy Pargman
So as defenders, we really need to be focused on stopping that kind of threat activity on the endpoint. If we understand our environment and people don’t normally download Excel spreadsheets from websites and open up spreadsheets with macros in them, maybe we can be proactive blocking that with the Attack Surface Reduction Rules from Microsoft Intune.
[00:15:54.670] – Randy Pargman
Or we can profile what is normal. Maybe there’s only a handful of users that normally would get Excel spreadsheets from somewhere else and need to run macros, and we can limit it to just allowing those users to do it and block it for other people.
[00:16:08.950] – Randy Pargman
But, I think just making it easy for people not to get infected, trying to help them out so that they don’t need to understand all these different schemes. They don’t have to understand all the different ways they might be tricked. That is probably the most effective way to prevent this from going all the way to ransomware.
[00:16:31.090] – Matthew Fusaro
I think this is one of those situations where you have to combine the technical controls with the personal controls. Make sure you’re not being socially engineered. This one is tough, though. Really, if you’re on the phone, I guess your best defense here would be to make sure you’re also authenticating the person on the other end. But they already have a lot of information about you. They have your name, they have an order number they’re telling you that’s been used. There’s not a lot of information that you can really use in this scenario to say whether these people are real or not.
[00:17:07.810] – Jason Pufahl
And they’re putting a ton of effort. I’d say google the product or the company and see if you can get the phone number there. But I suspect with what Randy said, there probably is a product or a company with a phone number there that makes it feel really legitimate. So even just not trusting the email, your next best step probably gives you the same information.
[00:17:28.270] – Randy Pargman
Yeah. Exactly. Those websites that they set up, which you can find if you go searching for them? Those have the same phone number on them. So even if you’re doing a little bit of due diligence and you think, hey, this looks like a totally legit website. This doesn’t look scammy at all, and it’s got this phone number on it. I think I’m going to call them.
[00:17:45.310] – Randy Pargman
I think really as aware users, what we need to do is just question when somebody is asking us to do something that doesn’t make sense. If I’m calling in to cancel an order, and I’ve given them an order number, and they’ve looked it up on their computer, and they’ve got it–they can just cancel it then and there, right? There’s no reason to get me to download an Excel spreadsheet. That just doesn’t make sense.
[00:18:09.250] – Jason Pufahl
I think it doesn’t make sense to the three of us. I think a lot of people feel like, well, this is just a step that they make me take, and there are a lot of crazy customer service practices out there. So, unfortunately, as bizarre as it seems, I think we’ve all stepped through things that we’re like, well, this just doesn’t make any sense for really legitimate companies.
[00:18:27.850] – Matthew Fusaro
Yeah, that’s true.
[00:18:33.190] – Jason Pufahl
This has been a great conversation in the sense that all of our discussions are always really consistent around. This is how you identify phishing, and these are really the steps that you can take. I think you’ve really brought to light here something that is unique and adds an additional layer of complexity when we’re talking with clients around being proactive and training your staff in some of those technical controls. Just another thing to think about.
[00:19:02.290] – Matthew Fusaro
I think all those things are still valid.
[00:19:04.750] – Jason Pufahl
[00:19:06.670] – Matthew Fusaro
This is the outlier. It may become the rule, who knows? We’ll see in the future, but I think we’ll definitely start seeing more sophisticated social engineering coming out of this. I feel like awareness is becoming a little bit more forefront for a lot of companies. So the usual easy tactics aren’t working as much.
[00:19:26.170] – Matthew Fusaro
They’re still pretty successful, don’t get me wrong. I think we’re still going to be seeing advanced attacks like this that make you feel good, make you feel like you’re actually doing something right, that you’re following what you were taught during your security awareness…and then you’re ultimately falling into the trap.
[00:19:43.690] – Jason Pufahl
They’re using all of our tips against us. Any parting words, Randy, that you’d like to make sure you cover that you haven’t?
[00:19:51.970] – Randy Pargman
I think one of the encouraging signs from something like this is that all of the effort that we’re putting into better scanning of email for threats, that must be working in some way. Otherwise, the threat actors wouldn’t go to all this trouble. They’re certainly feeling the pinch, and they’re working harder and paying more people to try to get around these defenses that we’re putting up. So that’s a little bit encouraging that we need to keep improving those email scanning defenses.
[00:20:18.550] – Randy Pargman
The other thing is, we’ve taken this all the way in our lab and executed the malware, and we can see what kind of things that threat actors do afterwards. I can tell you that even though they go through all these steps to try to get the malware on in a sort of an unusual way, what they do afterwards is really typical. When we have endpoint scanning and analysts looking at what kind of commands are being run and what sort of processes are launching other processes, we can still spot all these threats just using the same techniques that we always have.
[00:20:50.590] – Jason Pufahl
So it’s a real glass half-full ending. I personally appreciate it. Well, Randy, it’s been a pleasure. Thanks for regaling us with your tails in the trenches there a little bit, and giving us a perspective on I think something that’s emerging that people aren’t familiar with yet and really provides an interesting alternative to what we see commonly.
[00:21:10.750] – Randy Pargman
It was my pleasure. Thanks for having me on.
[00:21:12.910] – Jason Pufahl
And Matt, thanks for joining. I appreciate you being here.
[00:21:15.010] – Matthew Fusaro
That was great. Thank you.
[00:21:15.970] – Jason Pufahl
If anybody has any additional interest, reach out to us at Vancord Security on Twitter. Follow us on LinkedIn and of course, you can follow the podcast at Apple or Spotify.
[00:21:27.970] – Randy Pargman
Stay vigilant. Stay resilient. This has been CyberSound.