Telephone based threats


    Jul. 08, 2024

    Key Points

    • Over 1.6million telephone-based scams detected across the last 30 days
    • To create invoices, services abused include Paypal, Docusign Xero and Intuit
    • Use of Microsoft Distribution List (DL) to distribute campaign
    • Call centers making use of AI bots to aid with campaigns

     

    Over the past 30 days, more than 1.6 million telephone-based scams have been detected by Mimecast. These scams heavily leverage invoice-related themes, exploiting legitimate services such as PayPal, Docusign, Xero and Intuit to appear credible and deceive victims. The intent of these scams ranges from harvesting sensitive information like credentials and social security numbers to persuading victims to grant remote access or download malware under the guise of fixing compromised accounts.

     

    telephone-based-threats-example-01.png

     

    In these recent examples, Mimecast has observed an increased use of Microsoft Distribution List (DL) to distribute these campaigns.


    Flow of campaign

    • Threat actors start by creating Microsoft DLs that include the email addresses of their targets. They will then sign up for services like PayPal to create an invoice and tweak the invoice message to include a phone number urging victims to call if the invoice is incorrect.
    • The invoice is then sent to the DL address coming from legitimate PayPal address and infrastructure.
    • Microsoft’s DLs can handle up to 100,000 email addresses; once initial checks are performed by Microsoft it will be forwarded to the external email address in the DL. When forwarding, to ensure checks such as SPF and DMARC pass correctly based on the initial PayPal sender, Microsoft uses its Sender rewriting scheme (SRS) to adjust the SMPT sending address.
    • The target receives the email from Microsoft with SPF and DMARC checks passed based on the original PayPal email.
    • To add another layer of sophistication, we’re seeing threat actors make use of AI bots in call centers to handle parts of the scam, making the entire operation more automated.
    • The victim calls the phone number to provide a ‘human’ experience which makes the scam appear more real.
    • Once a potential victim has been found, the aim of the campaign is to harvest sensitive information, credentials, grant remote access or download malware to fix their potentially compromised accounts

    With the sophistication and automation brought by AI bots, we predict that telephone-based threats will increase. As these tactics evolve, the volume and impact of such scams are expected to grow, posing even greater risks to individuals and organisations.


    Targets:

    US focused, All Sectors


    IOCs:

    Sender header email address:
    • service@intl[.]paypal[.]com
    • service@paypal[.]com
    Sender SMTP email address: (Multiple variations exist)
    • bounces+srs=obyzp=nq@fsdfas327[.]onmicrosoft.com
    • noreply14+srs=+eyxs=i3=intl.paypal.com=service@itruemium[.]website
    • sara2675+srs=6ztpp=hz=intl.paypal.com=service@howyoupperceive[.]shop
    Microsoft Distribution Lists: (Multiple variations exist)
    • New-user@fsdfas327[.]onmicrosoft.com
    • NoReply14@itruemium[.]website
    Subject Lines: (Multiple variations exist)
    • You've got a money request
    • Invoice from [Name inserted]
    • Invoice from Notification :If this following transaction was not by you Quickly reach us on [Number inserted]

    Back to Top