Cybercriminals Use Phony Call Centers to Spread Ransomware and Data Stealers

Woman dialing smartphone

Fraudsters are setting up phony call centers to trick users into installing malware in an ongoing campaign, a scheme that is far more dangerous than initially thought, Microsoft researchers said. The cyberattack — known as “BazaCall”  — gives hackers hands-on keyboard control of an infected device, and can swiftly install data-stealers and inject ransomware into a system.

BazaCall Scheme Dupes Victims into Calling Hackers

According to a recent report from Microsoft Security, hackers are setting up fraudulent call centers and employing social engineering tactics to rope in victims.

The entry point is somewhat similar to vishing (voice phishing) tech support and customer service scams. Hackers send spam emails from compromised accounts or email addresses that look like they’re coming from real businesses. The spam emails tell users that a free trial for a subscription service is about to expire — such as software licensing or fitness memberships — and their credit card will be charged unless they cancel.

The fraudulent email directs the target to call a customer support number. If a victim dials the phony call center, there will be a real human on the other end of the line, set up by BazaCall operators. The fraudulent call center representative then guides the victim through the cancellation process, usually directing them to a malicious website that hackers have set up.

Through social engineering, the fraudster tricks the victim into downloading a malicious Excel file carrying BazaLoader — a malware capable of injecting ransomware and other malware that can steal sensitive data on infected systems.

Dangers of Social Engineering

Microsoft Security researchers noted the effectiveness of the social engineering element that BazaCall employs. Traditional phishing methods are more automated, as cybercriminals simply send out a barrage of spam emails in hopes of luring victims into clicking a malicious link that downloads and installs malware. But this scam involves a dangerous human element.

“We observed that even if security filters such as Microsoft Defender SmartScreen are enabled, users intentionally bypass it to download the file, which indicates that the call center agent is likely instructing the user to circumvent security protocols, with the threat that their credit cards will be charged if they don’t,” Microsoft Security Intelligence said in the report.

This isn’t the first time we’ve seen this personal tactic in the spotlight. After an investigation by the state of New York, it was revealed that social engineering was how administrative systems were breached in Twitter’s July 2020’s massive hack. Cybercriminals — allegedly led by then 17-year-old Graham Ivan Clark — called employees pretending to be Twitter’s internal tech support, and tricked one with high-level access into entering login credentials into a spoofed site. Hackers then used those credentials to access Twitter’s administration login, and tricked the employee into approving multifactor authentication.

Recognizing BazaCall Phishing Attempts

Even though BazaCall is a unique and dangerous threat, it’s important to point out that like any phishing attempt, it all starts with a spam email. Spammers blast out these emails to hundreds of thousands of accounts, and since it would take so much work to personalize, there are some things that users can look out for to avoid becoming a victim.

  1. Spelling and grammar mistakes, generic greetings, odd language: Oftentimes, spam emails have poor spelling and grammar or generally odd phrasing, which should be a dead giveaway that the email is not coming from the business that it says it is. Generic greetings like “Hello Mr./Ms.” are also a red flag, though sometimes automation can include part of your email address or username (like initials) in the greeting or subject line.
  2. Look at the sender’s email: Unless they’ve actually hacked a company’s email account (which is unlikely), the email address will be a little off. Instead of seeing [email protected], you might see [email protected] or just a bizarre string of numbers and letters and an email service you’ve never heard of.
  3. “Unique ID”: Microsoft noted that BazaCall spam emails had a “unique ID” either in the subject line or in the body of the email.

Microsoft researchers provided some sample subject lines, which are listed below:

  • Your demo stage is nearly ended. Your user account number VC[unique ID number]. All set to continue?
  • Your free period is almost ended. Your member’s account number VC[unique ID number]. Ready to move forward?
  • Soon you’ll be moved to the Premium membership, as the demo period is ending. Personal ID: KT[unique ID number]
  • Automated premium membership renewal notice GW[unique ID number] 
  • Your subscription will be changed to the gold membership, as the trial is ending. Order: KT[unique ID number]
  • Notification of an abandoned road accident site! Must to get hold of a manager! [body of email contains unique ID number]
  • Thanks for deciding to become a member of BooyaFitness. Fitness program was never simpler before [body of email contains unique ID number]
  • Thank you for getting WinRAR pro plan. Your order # is WR[unique ID number].
  • Many thanks for choosing WinRAR. You need to check out the information about your licenses [body of email contains unique ID number]
Tech journalist
Taylor is a tech writer and online journalist with a special interest in cybersecurity and online privacy. He’s covered everything from sports and crime, to explosive startups, AI, cybercrime, FinTech, and cryptocurrency. For he follows news and developments in online privacy, cybersecurity, and internet freedom.