"Fake Subscription Invoices Lead To Corporate Data Theft and Extortion"

A threat actor known as Luna Moth has been stealing sensitive data and extorting money from small and medium-sized businesses through the use of social engineering tactics and legitimate software. The group avoids using ransomware in favor of convincing targeted employees to call a phone number operated by the attackers and install a remote access tool. Callback phishing, also known as Telephone-Oriented Attack Delivery (TOAD), is a social engineering attack in which the threat actor must interact with the target in order to achieve their goals. This attack style requires more resources but is less complex than script-based attacks, and it has a much higher success rate, according to Palo Alto Networks' Unit 42 researchers. The first lure is a phishing email that appears to be from a legitimate business, such as a fitness center, informing the recipient that they have subscribed to a service and that payment will be extracted using the payment method they previously specified. There are no malicious links or attachments in the body of the phishing email to trigger email security solutions. It instead contains one or more phone numbers through which the recipient can dispute the subscription, as well as a nine- or ten-digit confirmation number that the threat actors use to identify the specific recipient. Alternatively, the information is available in an attached PDF file. All of the numbers used by the attacker were registered with a Voice over IP (VoIP) provider. When the victim dialed one of the attacker's phone numbers, they were routed through a queue and eventually connected with an agent who sent a remote assist invitation for the remote support tool Zoho Assist. The attacker took control of the victim's keyboard and mouse, enabled clipboard access, and blanked out the screen to conceal their actions once the victim connected to the session. For data exfiltration, the threat actor has been known to install the remote support software Syncro and open-source file management tools Rclone or WinSCP. The attacker sends an extortion email after rooting through the system and exfiltrating sensitive data, threatening to sell or leak the data if they are not paid. This article continues to discuss Luna Moth's tactics and targets. 

Help Net Security reports "Fake Subscription Invoices Lead To Corporate Data Theft and Extortion"