Call-Back Phishing: Enhanced Protection with SURBL HASHBL

  • Home
  • Call-Back Phishing: Enhanced Protection with SURBL HASHBL

Call-Back Phishing: Enhanced Protection with SURBL HASHBL

Phishing attacks continue to be a prevalent and evolving threat.

According to the FBI’s Internet Crime Complaint Center (IC3) annual report, phishing schemes were the most reported cyber-attack in 2022. “Losses to phishing attacks increased by 76% last year, with almost one-third of companies losing money to successful phishing attacks”.

Blocking based on IP addresses and domains is highly effective. As a result, cyber attackers are constantly coming up with new techniques in an attempt to evade filtering.  This means organizations must continue to adapt their coverage and approaches to best protect their users against constantly changing cyber-attack methods.

One new and trending cyber-attack method is “Call-Back Phishing”. In November 2023, the FBI issued a warning to private businesses that call-back phishing attacks are on the rise.

New innovations, like SURBL HASHBL, help protect against the latest phishing trends by blocking malicious content, often missed by traditional blocklists.  One example is identifying phone numbers used in call-back phishing campaigns.

What is Call-Back Phishing?

Call-Back Phishing attacks, also known as Hybrid Vishing or Telephone-Orientated Attack Delivery (TOAD), are one of the latest methods used in online scams.

This new attack method is being observed more and more frequently. According to a report, call-back phishing attacks have increased 625% in 2022.

Call-back phishing attacks begin with a cybercriminal sending a seemingly harmless email. These emails contain no malicious links or attachments in order to evade filtering, but instead, prompt the user to call a phone number included in the email.

The goal of the attack is to get the end-user off of the computer, where malicious items are filtered, and on the phone. Once on the phone, they direct the user to a malicious website.

This malicious website may contain malware, trick the user into sharing personal / financial information, or more.

The FBI warning included an example from June 2023, where the Silent Ransom Group (also known as Luna Moth) conducted a call-back phishing campaign. The call-back phishing campaign resulted in the threat actors gaining access to local files and shared network drives. Once they had access, they were able to exfiltrate the victim’s data and, ultimately, extort the companies.

Example of a Call-Back Phishing email observed by SURBL:

Common call-back phishing attacks involve a fake invoice confirmation email for something the end user did not purchase. 

In the example above, the user was sent a fake PayPal invoice for a “Nortan360 Security” that they did not purchase. The email will often offer a support phone number the user can call if they have issues with their purchase or if the invoice is incorrect, like the toll-free number shown in the top right of the example email. 

If the end user is tricked into believing this email and calling the support line, they may end up sharing account log-in details, credit card information, or more.

Hash Blocklist for Enhanced Protection

Traditional blocklists are unable to detect a call-back phishing attack without a malicious IP or domain contained in the email message header.

Using new hashed based filtering, emails can now filter based on hash strings of email content. Email content may include attachments, crypto-wallets, or in the case of TOAD attacks, phone numbers.

The HASHBL from SURBL now contains a list of hashed phone numbers known to be associated with malicious email and fraudulent activity.

Email filters can now hash phone numbers contained in email messages and query against the SURBL HASHBL’s list to identify these threats.

HASHBL Example:  

Phone number: +0012345678

md5sum: 506c5e6bb3d2ef3b3fd36b7cf7bfb26a

Query: 506c5e6bb3d2ef3b3fd36b7cf7bfb26a.$

Return Code if Listed: