A junior employee gets an email asking them to immediately call the information technology (IT) department. The employee calls, and the person on the phone says there’s something wrong with the employee’s computer. The IT person asks the employee to download a remote access program so the issue can be fixed. The employee, who has only been on the job for a couple of months, downloads the application and grants the person from the IT department control of their computer. The problem, ostensibly, is fixed.
However, this is actually the beginning of trouble. The junior employee has fallen victim to a type of phishing attack. Phishing is a highly effective social-engineering method aimed at tricking people into divulging login credentials, navigating to fake websites or downloading malware. Phishing is one of the primary ways threat actors gain access to systems. Threat actors have found its potential effectiveness can be augmented by picking up the phone, which may offer a greater chance someone can be fooled into undertaking an action. These types of attacks that combine voice and email phishing are known by several terms, including telephone-oriented attack delivery (TOAD), callback phishing and hybrid vishing (a combination of voice and phishing). These are powerful attack combinations that leverage the implicit trust people often assign to strangers who assume authority over the phone.
This is not a new threat, but it is a rising one. We have observed a sharp increase in underground offers for illicit call center services that can aid in malware delivery, ransomware-related calls and other fraud-oriented social-engineering attempts. In this piece, we’ll explore the variations of TOAD, some players offering this service, why demand for TOAD services is rising and defenses organizations can use against it.
Overview
Callback phishing attacks are becoming more frequent. According to Proofpoint’s 2024 State of the Phish report, upward of 10 million TOAD attacks are made every month, and 67% of businesses globally were affected by a TOAD attack in 2023. Although employees are usually trained to recognize and report email phishing attempts, they often are unfamiliar with this hybrid phishing model, leaving both the individual and organization vulnerable. A typical callback phishing TOAD attack starts with a phishing email pretending to be from a legitimate company that encourages an unwitting victim to call a phone number in the email. Cybercriminals employ a variety of social-engineering techniques but often use an invoice for services or goods the victim never purchased. The phishing email also can be used to gather victim information, including personal details, login credentials or other sensitive data. The attacker then can make a phone call to further manipulate the victim. The phone call is handled by a malicious actor who is well-versed in social engineering and tricks the victim into installing remote access malware or legitimate remote control software, which attackers use to access the network and deploy ransomware.
We observed TOAD methods play a significant role in the modern underground threat landscape from late 2020 to early 2021, starting with BazarCall aka BazaCall campaigns that distributed BazarLoader malware. The high success rate of these campaigns prompted other actors to adopt similar techniques to obtain funds and sensitive data, including ransomware groups and mobile malware operators. At least three individuals who split from the Conti ransomware group leveraged BazarCall phishing tactics to gain initial access to victim networks. The topic of TOAD attacks again gained the attention of underground actors and cybersecurity researchers for the number of attacks and financial impact to organizations in the following years. We observed additional callback phishing campaigns, including Standard Notes-themed or MasterClass online learning-themed TOAD attack delivery campaigns that distributed malware such as BokBot aka IcedID, IceID.
The most effective way to incorporate TOAD tactics, techniques and procedures (TTPs) is by enlisting the services of a call center that can cover a broad number of languages and are available on demand. From January 2023 to August 2024, we observed more than 60 actors offer underground call services. We observed 40 offers in 2023 and 23 offers from January 2024 to August 2024. The compounding aggregation of these services highlights how dense the market has become.
Increasing Demand
The uptick in vishing-related attacks since the second half of 2022 likely is due to numerous actors and threat groups seeking to expand their operations through TOAD methods. We observed more than 50 actors seek callers for a variety of schemes, including mule projects, malware delivery and other social-engineering tasks, as well as recruiting new specialists to underground call centers. Some actors sought callers with a command of specific languages, which provides insight into possible target locations. Of the observed recruitment advertisements, we noted at least 24 actors sought callers who spoke one of a variety of European languages — 17 of which sought English-speaking callers, which suggests a focus on the U.S. and the U.K. However, given the prevalence of the English language, organizations in other countries likely are susceptible. A limiting factor for TOAD activity appeared to be the availability of English-speaking actors willing to collaborate with non-native English actors.
Facilitating Ransomware
Ransomware operators constantly develop their techniques, including acquiring affiliates that best fit their operational procedures. TOAD-related services often are incorporated into various stages of a ransomware attack. They can aid in the initial access phase through advanced social engineering or diverse phishing campaigns and support in the ransom phase by speaking to negotiators. As a result, TOAD specialists increasingly are being viewed as vital components to an effective ransomware threat group, prompting numerous recruitment drives across the underground. Professional callers help secure a ransom from the victim, as well as serve as an alternative to initial access brokers (IABs) in gaining access to a system. Most ransomware operators seek long-term cooperation with ransom callers and offer monthly fees as well as shares of ransom payments, which indicates such services are valued among threat actors engaged in ransomware.
In the first quarter of 2024, we observed ransomware groups seek callers for ransomware-oriented attacks. In July 2024, a relatively new member of the XSS forum sought callers fluent in English to conduct TOAD operations that targeted companies in Canada and the U.S. while allegedly providing open source intelligence (OSINT) and call services to an undisclosed ransomware group themselves. The callers allegedly would receive all the necessary tools, which included Clownfish voice-changing software, access to the session initiation protocol (SIP)-based voice over IP (VoIP) MicroSIP and Narayana software-based softphone services, the OpenVPN-based VPN client and access to the “Fake Caller ID” spoofing service.
Lucrative Business
The primary goal of most cybercrime is financial gain, and underground call services are no exception. A successful callback phishing campaign can generate a substantial amount of money for both the attacker leveraging the service and the callers themselves. The CrimeTalk underground call service charges US $10 per call, and the Gorilla Call service charges US $5 per call and US $5 extra for every additional 10 minutes if a call lasts longer than 10 minutes. Moreover, if the victim is unresponsive, Gorilla Call’s client must still pay US $0.50. However, earnings may vary significantly depending on the diversity of call centers and services. One actor who provides services for ransomware operators to blackmail victims via emails and phone calls charges US $200 for each target and a 10% commission from the ransom payment. Another actor who promoted an underground call center service that targets banks, telecommunications providers and ship distributors offers client subscription plans depending on the length of use. The actor claimed the most-requested offer was the three-day plan for 250 British pounds (about US $316). Other plans include 100 British pounds (about US $126) a day and 550 British pounds (about US $696) a week.
The “salary” of callers also may vary depending on the tasks set to them or the language they work with. Threat actors seeking callers with a command of less pervasive languages sometimes offer significantly higher sums of money. In February 2024, we observed a threat actor seeking native Italian speakers to engage in social-engineering attacks and offering to pay US $5,000 daily. Another actor who sought Spanish-speaking callers was ready to pay US $50 per call, which is much more than the average price of one call at other popular call centers.
M00N
Some actors have created more sophisticated business models to offer clients a full range of phishing services. For example, the M00N email spamming and phishing service offered multiple methods to deliver phishing emails, which included:
The actor can check the target’s domain for a “vulnerability” to spoofing attacks, likely referring to a custom method to send an email with a fake sender’s address. If the corporate domain appears to be prone to the “vulnerability,” the transmission host would impersonate employees from the company’s accounting or IT department. The actor sought US $990 to deliver 500 emails.
Phishing emails can be sent to corporate addresses via compromised simple mail transfer protocol (SMTP) servers to bypass anti-spam filters. The actor offered to deliver 50,000 emails for US $390.
The actor also could send phishing emails from the actor’s domains that allegedly have a history and reputation for US $590 for 50,000 emails.
QuattrO
The QuattrO aka CallMix, Procallmix underground call service first was advertised by a long-standing member of the Verified cybercrime forum, the actor audi aka Cartman, cartman, procallmix, in May 2019. The service offers common types of fraudulent calls in addition to facilitating dating fraud, which includes calls to banks, delivery services, online stores and for complicated issues such as placing orders over the phone and requesting a package be delivered to a different address. The actor’s team allegedly could make calls to any country in the world other than Russia and included female and male call operators who speak English, French, German, Italian and Spanish, research a targeted company and obtain a list of phone numbers and emails for TOAD campaigns.
Assessment
TOAD TTPs increasingly are being adopted and integrated into a variety of threat streams and this is unlikely to change in the short term given the upward trend in offers. A professional call operator involved with TOAD can not only provide a threat actor with an alternative way to infiltrate the victim's system, but also assist with negotiations when it comes to determining the ransom amount. With all the necessary baseline information about a victim and following a previously determined attack scenario, experienced callers pose a significant threat to new employees who are less familiar with their organizations’ communication pathways and therefore less likely to recognize sophisticated phishing attempts. Call services also likely will continue to hire operators who speak fluent English to cater to Europe- and North America-based targets, as well as supply extensive training to develop their professionalism and increase the quality and quantity of social-engineering attacks.
Using experienced and professional-sounding callers is a key element in successful callback phishing attacks. The selection of callers speaking multiple languages and sophisticated callback phishing schemes likely contributes to the long-term success of a call service. Moreover, previous cooperation with high-profile ransomware-as-a-service (RaaS) programs and a variety of options to pressure a victim into paying a ransom add credibility to a call center and increase the chances of partnering with an even wider range of ransomware and extortion groups. The increased demand for call operators suggests companies are reluctant to pay ransom demands, forcing ransomware operators to put more direct pressure on their victims. Since most high-profile ransomware groups tend to attack corporate entities with employees in multiple countries, they are more likely to cooperate with call centers offering sophisticated social-engineering techniques as well as callers with a good command of multiple languages. Therefore, call centers likely will further develop their capabilities and diversify their offers while also establishing connections with reputable actors and threat groups.
Mitigation
Organizations must be diligent in their security practices to combat threat actors and groups employing TOAD methods. Employees must identify, delete and report phishing attempts that may have unusual requests or grammatical errors. Individuals should not give out sensitive information over the phone, especially not in response to an email with only one contact number. Common mitigation strategies organizations can implement according to the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework and Detection, Denial and Disruption Framework Empowering Network Defense (D3FEND) knowledge graph of cybersecurity measures include:
Harden
Message authentication: Authenticate message senders to prevent fraudulent financial transactions, phishing attempts and other social-engineering attacks.
User training: Train users to identify TOAD social-engineering techniques and common phishing lures, including fake invoices and technology support messages.
Software configuration: Use anti-spoofing and email authentication mechanisms including sender policy framework (SPF), DomainKeys Identified Mail (DKIM) and domain-based message authentication, reporting and conformance (DMARC).
Detect
Sender mail transfer agents (MTA) reputation analysis: Characterize the reputation of MTAs to determine the security risk in emails. Construct a trust rating determined by the length of time the sender has interacted with the enterprise and number of emails received and replied to.
Sender reputation analysis: Analyze sender reputation based on information associated with a message including length of time the sender has sent emails to the enterprise and number of emails received from the sender.
Network intrusion prevention: Enable network intrusion prevention systems and systems that scan and remove malicious email attachments or links.