A recent report suggests that BazarCall attacks, which are a new attack method carried out over the telephone, accounted for 10% of malware incidents in early 2022.
What is a BazarCall Attack?
This is a telephone-orientated attack delivery (“TOAD”) and involves the use of malware disguised as a document (such as a Word document) to compromise a device. Rather than having financial gain as their initial objective, perpetrators of these attacks have a long-term aim to install malware and leverage it for follow-up exploitation. BazarCall attacks fall under the umbrella of social engineering attacks – it relies heavily on human interaction in order to be successfully executed.
BazarCall attacks work like this:
1: The BazarCall victim receives a phishing email from the threat actor. This email will lure the receiver to call a customer representative at a call center for further assistance.
Often the malicious actors will leverage legitimate brands such as PayPal, Amazon, and Justin Bieber ticket-selling websites, to dupe their victims into dialing the telephone number provided. Other popular lures might involve a purported computer security service subscription (such as antivirus software) which can only be canceled via telephone.
2: The attack begins: the threat actor orally guides the victim to a fake company website and then instructs them to download a file that is infected with malware.
A malicious macro file, as it is called, that is hiding in what appears to be an ostensibly legitimate document such as a Microsoft Excel spreadsheet, is downloaded. When the victim downloads the file, a malware software called BazarLoader is inadvertently installed on the device, the purpose of which is to create “backdoor” access for the threat actors.
Macros are a series of commands that can be grouped together and triggered to operate on an automatic basis by a single instruction – for example, a Word document may contain a macro that automatically builds a company letterhead, automatically setting the font, size, positioning and any other accompanying graphic at the click of a button. Macro files are not always malicious – they could include legitimate code.
It should be noted that, for this reason, Microsoft has recently disabled macros by default across its product line so that macro files will not run automatically – the user will need to actively agree to run the macro. But, be aware that this still leaves room for the BazarCall attacker to guide the victim through the process of authorizing the macro to run.
3: The threat actor is free to execute post-infection activities.
This can include reconnaissance (mapping out the network) and network exploitation, data exfiltration, ransomware attacks, and follow-up malware.
You can watch this attack live via this YouTube video or this shorter demo.
Should we be worried about the rise of BazarCall?
The financial impact of TOAD attacks is substantial
Some studies suggest that around 70 million Americans lost money from telephone scams in 2021. That is up from 60 million in 2021. Individual victims have reported losing nearly $50,000 per attack, although this number is likely to be greater in reality – especially if follow-up attacks are executed via the BazarLoader backdoor.
BazarCall attacks are harder to detect, risking long-term impact on organizations
Small businesses are at particularly high risk of these attacks, especially if they have limited awareness of cybersecurity trends and best practices. However, there have been incidents of employees from larger organizations being targeted via both personal and corporate email accounts.
The risk of these attacks being successfully completed has risen partly because, with the shift to remote working following Covid-19, employees have increasingly accessed their private email accounts via their work devices. Because BazarCall emails do not contain the characteristic “click here to resolve the problem” hyperlink commonly found in other phishing emails, they often circumvent email security protections. Any EDR or antivirus technology implemented on the devices will also be unable to detect the attack as it is the authorized network user who downloads the malware – the hacker does not need to penetrate the network in order to do so.
In addition, software programs such as TeamViewer or AnyDesk, which BazarCall threat actors occasionally use to access the victim’s computer remotely, are legitimate, trusted software programs that are often pre-installed on corporate devices. Where these software programs have not been set up to disable access for external network users, the attackers can also bypass other security measures which would otherwise be able to detect and prevent attempts to access the device. In these situations, the BazarCall attackers are more easily able to access the corporate device remotely, install malware and carry out follow-up activities such as ransomware attacks.
What feedback can cyber insurance professionals provide to their insureds?
Clients should make sure that their software is up-to-date, that their security settings on third-party software providers are in place, and that, at the very least, antivirus software has been installed on network endpoints (although EDR technology would better combat this issue). Multi-factor authentication (“MFA”) mechanisms should also be implemented – this makes it harder for threat actors to move laterally across the network once their access has been granted via the BazarLoader and therefore limits their attack surface. Finally, organizational cyber resilience and posture can be improved through amended employee awareness training which warns against TOAD attacks. Education in the workplace helps to address the risk of human error leading to major cyber incidents. This will help to reduce the risk of these emails leading to successful attack executions as employees will be able to recognize and respond to such threats.
The surge in BazarCall attacks can be mitigated with awareness, education, and ongoing training. As the cyber insurance industry continues to drive best practices in a hardening cyber market, it is for cyber insurance professionals to remain updated on emerging and damaging attack methodologies to protect both their capital reserves and their insureds against cyber risk. Luckily at the Cyber Insurance Academy, we make this easy for you with robust educational courses, professional development opportunities, and a growing community of cyber insurance professionals.
Interested to hear about the Cyber Insurance Academy’s award-winning cyber insurance courses? Read about what we are doing to train the next generation of cyber insurance specialists here.