IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft warns of dangerous ‘BazaCall’ call centre ransomware scam

Human operators are tricking victims into manually downloading malware onto their systems

Ransomware operators are spreading BazaCall malware by tricking people into phoning fraudulent call centres and speaking with real humans, who provide step-by-step instructions on how to download a payload.

Attacks from BazaCall operators can move rapidly within a network, with hackers able to conduct extensive data exfiltration and credential theft, Microsoft has warned. They can even distribute ransomware within 48 hours of the initial compromise.

Apart from having backdoor capabilities, the BazaLoader payload also gives a remote attacker hands-on keyboard control for an affected user’s device.

“Our continued investigation into BazaCall campaigns, those that use fraudulent call [centres] that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media,” said the Microsoft 365 Defender Threat Intelligence Team.

“BazaCall campaigns forgo malicious links or attachments in email messages in [favour] of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold-called by the attacker, except in BazaCall’s case, targeted users must dial the number.”

When users are tricked into calling the number, they’re connected with actual humans on the other end of the line, who provide detailed guidance for installing malware on their devices.

The campaign relies on direct phone communication, as well as sophisticated social engineering tactics to succeed, but the tactic is proving difficult to prevent given the lack of obvious malicious techniques.

It starts with an email that uses various social engineering lures to trick victims into calling a number. This might include informing users about a trial that’s about to expire and that their card is set to be charged, asking them to phone the number provided in case they have any concerns. There are no attachments, links, or any other type of malicious call to action that would be spotted by a security filter.

Each message is sent from a different sender, normally through a free email service and compromised email addresses, with lures including fake business names that are similar to real companies.

Victims who do call the number will speak to a real person from a fraudulent call centre, whose aim is to direct the caller to visit a malicious website, disguised as a legitimate one. They’re asked to navigate to a page and download a file to cancel their subscription.

Related Resource

Employees behaving badly?

Why awareness training matters

Why awareness training matters - whitepaper from MimecastDownload now

These files are macro-enabled Excel documents, which might be flagged by Microsoft Defender SmartScreen, although Microsoft has observed users bypassing these warnings to download the files anyway, likely at the instruction of the hacker. Users are then prompted to enable editing, and enable macros, which triggers the BazaLoader malware to be delivered.

“The BazaCall campaign replaces links and attachments with phone numbers in the emails it sends out, posing challenges in detection, especially by traditional antispam and anti-phishing solutions that check for those malicious indicators,” the research team added.

“The lack of typical malicious elements in BazaCall’s emails and the speed with which their operators can conduct an attack exemplify the increasingly complex and evasive threats that [organisations] face today.”

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022