Luna Moth and a case of callback phishing.
N2K logoNov 21, 2022

Callback phishing campaign exploits legitimate tools to exfiltrate data that can subsequently be used for extortion.

Luna Moth and a case of callback phishing.

Palo Alto Networks’ Unit 42 is tracking a large callback phishing campaign dubbed “Luna Moth” that’s using legitimate tools to exfiltrate data for extortion.

Callback phishing leads to extortion.

Callback phishing requires the victim to get in contact with the attacker. The attacker then uses social engineering to trick the victim into granting access to a system or transferring money:

“The initial lure of this campaign is a phishing email to a corporate email address with an attached invoice indicating the recipient’s credit card has been charged for a service, usually for an amount under $1,000. People are less likely to question strange invoices when they are for relatively small amounts. However, if people targeted by these types of attacks reported these invoices to their organization’s purchasing department, the organization might be better able to spot the attack, particularly if a number of individuals report similar messages.

“The phishing email is personalized to the recipient, contains no malware and is sent using a legitimate email service. These phishing emails also have an invoice attached as a PDF file. These features make a phishing email less likely to be intercepted by most email protection platforms.”

The PDF file has a phone number that will connect the victim to the scammer. The scammer then instructs the victim to download a remote support tool so the scammer can manage the victim’s computer, supposedly to cancel the phony subscription.

Extortion tied to threatened release of data.

After exfiltrating data, the attackers email the compromised organization and demand a ransom. The ransom amounts vary depending on the organization’s revenue, and range from around $30,000 to over $1 million worth of Bitcoin. Unit 42 notes that the attackers don’t always follow through on their promise to provide proof that the stolen data have been deleted.