by Paul Ducklin
You’re almost certainly familiar with vishing, a phone-based scam in which cybercriminals leave messages on your voicemail in the hope that you’ll call them back later to find out what’s going on.
In fact, if you have a long-standing phone number, like we do, you may well get more of these scam calls (perhaps even many more of them) than genuine calls, so you’ll know the sort of angle they take, which often goes along these lines:
[Synthetic voice] Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of dollars]. To cancel your subscription or to discuss this renewal, press 1 now.
Sometimes, they’ll read out the number to call them back on, to re-iterate not only that it matches the number that shows up in your call history, but also that it’s a local number, right there in your own town or country.
The crooks do this to “prove” that caller is local too, rather than sitting overseas in some scammy boiler-room call centre, far from the reach of law enforcement and the regulators in your part of the world.
Unfortunately, the number that shows up in your call history (known by various names around the world, including Caller ID and calling line identification) doesn’t tell you where the caller is actually located.
Firstly, Caller ID is easy to spoof, so crooks can disguise their real number, or make it look as though they’re calling from somewhere you trust, such as your bank.
Secondly, if it’s not spoofed, Caller ID doesn’t tell you where a returned call will ultimately end up, but merely reports the last known phone number that it passed through on the way to you.
If a call centre (or a cybercriminal) calls you from overseas using a voice-over-IP (VoIP) service, where the call is transmitted cheaply over the internet until it reaches your country and only then redirected into the phone network, you will see a local number in your call history, but it won’t actually be the caller’s ID. Always keep in mind that the name Caller ID is misleading because it doesn’t identify the person who called you at all. Even calling line identification is an inaccurate name, given that the number that shows up can be modified and therefore doesn’t reliably identify the calling line, either.
So, Caller ID can’t be trusted, and unexpected phone calls, like unwanted emails, could by-and-large have come from anyone.
That’s why many of us dump all our calls to voicemail these days, and respond only to the likely ones.
With this in mind, you may be wondering why crooks still bother running phone-based scams, especially when these require human interaction each and every time someone returns a call, unlike web-based scams, which largely look after themselves.
The answer, of course, is that variety is the spice of life, or, sadly, that variation is one of the secrets of scamming.
Sometimes, simply being different from what everyone has been told to watch out for is enough to get victims to let their guard down.
The other advantage, for the crooks, of running what you might call human-led scams instead of pure online ones is that the scammers in the call centre only ever deal with people who are already concerned enough to call back of their own accord.
In other words, call-back scamming may be a more time-consuming way of interacting with each potential victim, but:
As you probably know, there’s a fascinating world of hybrid scamming that mixes together email-based and phone-based treachery.
Technical support scammers – those lowlifes who find fake viruses on your computer and then charge you real money for pretending to remove them – have been doing this for years.
They know that potential victims have been taught “not to click through” and to “watch out for dodgy popup links”, so many scams these days invite you to call a local phone number instead of clicking a link or opening an attachment.
At first, this feels as though it should be safer, because you’re not immediately exposing your browser or your computer to a site or a file that you aren’t sure of.
There’s always a chance, you might think, to make your own judgment of the “helpdesk expert” at the other end…
…before typing in the link they just gave you, or installing the software they just recommended.
Unfortunately, as we wrote earlier this year, it’s not just the technical support scammers using this “don’t click a dangerous link, call this handy phone number instead” trick.
In April 2021, we warned of a malware crew using a similar trick to talk you into infecting yourself with their malware, known as BazarLoader (also known as BazaLoader), thus giving them a foothold on your computer to mount pretty much any sort of cyberattack they want:
Rather than deciding in advance whether they’re going to hit you with a keylogger, a data stealer or a ransomware attack, the crooks who talk to you on the phone helpfully explain how to open a booby-trapped Office file that they deliver to you.
By tricking you into bypassing the security checks that would otherwise keep you safe, they implant a general-purpose bot or zombie program onto your computer that can:
We’re writing this article now as a followup to a reminder that came from Microsoft itself last week, with the self-explanatory title:
BazaCall: Phony call centers lead to exfiltration and ransomware
As you can imagine, Microsoft takes this sort of attack at least as personally as anyone else, not least because the primary malware infiltration vehicle that the BazarLoader/BazarCaller crooks use is to talk you into infecting yourself via some sort of Microsoft Office file.
Ironically, the crooks use the pretence that the file is “protected” and therefore needs to be handled in a special way – something that a crooked “helpdesk support team member” will glibly and happily tell you how to do.
Of course, the “special way” of handling the “protected” file, shown above as
ENABLE EDITING and
ENABLE CONTENT, involves turning off Microsoft’s default security settings, thus allowing malware embedded in the Office file to run, rather than blocking it.
In the latest round of attacks, you are urged via email by the BazarCaller scammers to phone them up if you want to “resolve” a “purchase” that was just debited to your account, such as:
The crooks know that you’ll know that you didn’t intend to make or authorise the purchase they’re warning you about.
They’re also hoping that you’ll want to check how the “mistake” happened, and get the charge removed from your card.
Don’t do it!
LEARN MORE ABOUT SOCIAL ENGINEERING
Listen to our special-episode podcast with Rachel Tobac, a renowned social engineering expert, and give yourself the confidence and understanding not to get sucked into saying or doing the wrong thing online:
Remember that gangs like the BazarCaller crew talk people into infecting themselves with malware, including ransomware, for a living.
Cybercrooks of this sort typically have a lot more practice in telling you what you want to hear, the way you want to hear it, than you have in picking out which bits of what they just said are a pack of lies.
If in doubt, don’t give it out!