Callback phishing, the latest trick in the attackers’ pockets, can bypass email filters because they do not contain attachments and links with malware. Hence, email filters fail to red-flag them. This article discusses callback phishing so individuals and cyber security teams can remain vigilant about such attacks.

An infamous Conti ransomware gang member once said, “We cannot win the technology war as we compete with multi-billion dollar organizations on this ground, but we can win the human factor”.

According to a blog by The Washington Post, hackers are evolving their tricks and targeting human behavior to lure them into calling the attackers to reverse fake charges and payments. The blog says that Palo Alto Networks’s Unit 42 released a report recently that states callback phishing by the “Silent Ransom Group” and “Luna Moth” have cost individuals thousands of dollars and are expanding their scope.”

A report from Agari, the Quarterly Threats Trends & Intelligence Report, further corroborates the finding and states that Callback phishing attacks increased by 625% in Q1 2022. Thus, it warns Americans facing relentless fake calls without any relief. Attackers carry out “callback phishing” to prey on victims’ desire not to get billed for subscriptions they did not purchase.


About Silent Ransom/Luna Moth

An offshoot of the notorious ransomware gang Conti, the group, is showing particular precision, according to the Palo Alto Networks. “The threat actor significantly invested in infrastructure and call centers unique to each victim.” They used recycled phone numbers earlier, but now, there are unique phone numbers for every victim, limiting the target’s ability to detect if they are malicious.

The cases involving Luna Moth/Silent Ransom “show a clear evolution of tactics suggesting the threat actor is continuously improving the efficiency of their attack,” Palo Alto Network mentions. “Cases at the campaign’s beginning targeted small- and medium-sized businesses in the legal industry, while later cases indicated a shift towards larger targets in the retail sector.”


How Callback Phishing Works?

Malicious actors have been using callback phishing since 2020, then employed by the ransomware gang Ryuk. It progresses in the following four stages:

  1. Stage One. The threat actor sends a legitimate-looking email and notifies the victim they have subscribed to a service with automatic payment. The email includes a phone number victims can call to cancel their subscriptions.
  2. Stage Two. Thus, the victim contacts a special call center. When operators receive the call, they use various social engineering tactics and convince victims to allow remote desktop control, ostensibly to cancel their subscription service.
  3. Stage Three. After accessing the victim’s desktop, a malicious actor silently enters the user’s network, weaponizing legitimate tools that Conti used earlier. Another hacker continuously remains online with the victim, using social engineering tactics and pretending to help them with remote desktop access.
  4. Stage Four. In the final stages, the initiated malware session makes the adversary access an initial entry point into the victim’s network. Attackers then exploit the initial access to target an organization’s data.



The attackers have evolved their tricks with time. Earlier callback phishing versions involved victims downloading malware. On the other hand, Silent Ransom/Luna Moth does not ask the victims to download any malware, but they rely on commercial tools that allow remote access to IT administrators and other publicly available tools.

Thus, Palo Alto Networks adds that it makes attacks hard to detect since legitimate tools with traditional anti-virus products rarely set off alarms. Callback phishing is more precise than ransomware’s repetitive and random targeting, with hackers creating phishing messages tailored to specific victims.


How To Protect Yourself?

Individuals: Individual users must have a clear understanding of identifying and reporting phishing attacks.

  • Never click on suspected links, URLs or attachments
  • Never respond to spam
  • Use firewall, anti-virus solutions and anti-spam filters
  • Never share personal information with an unsolicited person’s request
  • Stay updated about the latest phishing techniques (cyber hygiene and awareness)
  • If you think the contact may be legitimate, contact the company yourself
  • Never share credentials over the phone
  • Keep your OS and software up-to-date



Organizations: Organizations must communicate with their employees regarding various security hygiene practices and measures, advising them to be vigilant. Furthermore, they must:

  • Deploy endpoint security to safeguard all connected devices and systems (mobiles, websites, emails, desktops, etc.)
  • Patch vulnerable systems
  • Get advanced web protection against malware,  spear-phishing and new Ransomware strands
  • Get expert help for advanced email security
  • Encourage employees: to review the sender’s information. Employees must ensure that a genuine organization is sending emails. In other words, if from a major bank, employees must ensure that the email is actually from the bank, not a threat actor.
  • Ask themselves about action items: Employees must consider what an email requests them to do. Do they need to respond to the email urgently? Is it requesting the recipient to click on a link?
  • Request input if required: After an initial assessment, employees uncertain about the email’s authenticity should request assistance from an IT team, a peer, or another appropriate authority within their organization. Organizations must tell employees about the best ways to seek help discreetly.


Expert Comments

Here’s what other experts have to say about callback phishing:

  • Kristopher Russo, Senior Threat Researcher, Unit 42

“Callback phishing requires more resources from the attacker. They need to allocate a person to be on the call with the victim, assist them in downloading the remote assist software and keep them engaged long enough to install the remote management software.”

He further adds that such attackers also need to set up business operations for tracking things like a reference number with the campaign details for a victim, including name, address, email, amount and service for which they are asking the payment.


  • Chris Clements, vice president of solutions architecture, Cerberus Sentinel

A crucial aspect of practical cybersecurity awareness training is educating employees beforehand about how attackers will contact them and what actions they expect from them.

Furthermore, “It is critical that employees understand how legitimate internal or external departments may contact them, and this goes beyond cybersecurity,” he added.


  • Deilia Rickard, deputy chair, ACCC (Australian Competition and Consumer Commission)

Threat actors typically suggest that there is something urgent. You either need to fix something or make a payment because you owe money, etc.

“When someone contacts you out of the blue, don’t provide them personal, professional details, or bank-related information. Furthermore, do not give them remote access to your system and money,” she says. “If the sender is in a hurry, threatening or aggressive, you must pause and hang up the phone.”



Final Words

After its resurgence in early March this year, callback phishing campaigns adversely affect the current threat landscape. The threat actors are re-evaluating and updating their attack methodologies to stay on top of the ransomware food chain. Thus, traditional cybersecurity enhancement measures hold little significance today. Organizations need a robust, constantly evolving strategy to protect themselves from such threats.

Pin It on Pinterest

Share This