A headset hangs on a cubical wall after a telemarketing shift. (Photo by William Thomas Cain/Getty Images)

Researchers on Monday reported that they discovered several incidents related to the Luna Moth/Silent Ransom group’s callback phishing extortion campaign targeting businesses in multiple sectors, including legal and retail.

In a blog post, Palo Alto’s Unit 42 research group, said the campaign leverages extortion without encryption and has cost victims hundreds of thousands of dollars. The researchers also said the campaign is expanding in scope and will continue to escalate because of the low per-target cost, low risk of detection, and fast monetization. 

Unit 42 has also identified several common indicators that imply these attacks on businesses are the product of a single highly organized campaign. This threat actor has significantly invested in call centers and infrastructure that’s unique to each victim. The researchers added that cybersecurity awareness training is the most effective defense against these stealthy and discreet attacks, mainly because the attackers prey on human emotions.

First, remember that ransomware usually begins with a phishing attack, said Mika Aalto, chief executive officer at Hoxhunt. Aalto said if the company gets a supposed business communication to the work emails of users that come from a Gmail address, be assured it’s fraudulent and it may be an attack on the company.

“This particular phishing attack hits familiar social engineering notes along a kill chain of links and phone calls that ultimately give the attacker control of the victim’s computer and access to their network,” Aalto said. “To keep the victim hooked, the campaign manipulates emotions and the human instinct to do the right thing through a false sense of urgency to act before suffering consequences. Any time you start feeling frazzled and afraid when contacted by a stranger over email, take a moment to breathe, look at the sender address, check for typos in the text, and investigate the company through your own navigation and verification outside of the links in the email.”

Mike Parkin, senior technical engineer at Vulcan Cyber, added that this attack is another example of threat actors targeting users through a sophisticated social engineering vector, rather than a technical exploit. Parkin said this kind of initial attack is much harder to stop using technical means, since there’s no malware involved and the initial email vector looks very much like a legitimate source.

“By using known legitimate tools rather than malware, it becomes more difficult to break the attack chain without potentially interfering with normal operations,” Parkin said. “Historically, users have been the most challenging threat surface to harden. Threat actors rely on human nature and social engineering techniques to achieve their goals, and those are notoriously difficult to defend against.”