Fake subscription invoices lead to corporate data theft and extortion

A threat actor dubbed Luna Moth has been leveraging social engineering and legitimate software to steal sensitive data and extort money from small and medium-size businesses.

The group is eschewing the use of ransomware and instead relies on targeted employees calling a phone number manned by the attackers and convincing them to install a remote access tool.

“Callback phishing, also referred to as telephone-oriented attack delivery (TOAD), is a social engineering attack that requires a threat actor to interact with the target to accomplish their objectives. This attack style is more resource intensive, but less complex than script-based attacks, and it tends to have a much higher success rate,” Palo Alto Networks‘ Unit 42 researchers noted.

The fake subscription invoices

The intial “hook” – and it’s obviously a good one, as the group has been using it for a while – is a phishing email made to look like it’s coming from a legitimate business (a fitness center, Master Class, Duolingo, etc.), saying that the recipient has subscribed to a service and that payment for it will be extracted via the payment method previously specified by the recipient.

fake subscription invoices

The body of the phishing email contains no malicious links or attachments to trigger email security solutions. Instead, it contains one or more phone numbers via which the recipient can dispute the subscription and a nine- or 10-digit confirmation number that’s used by the threat actors to identify the specific recipient. (Alternatively, that info is in an attached PDF file).

“The attacker registered all of the numbers they used via a Voice over IP (VoIP) provider. When the victim called one of the attacker’s numbers, they were placed into a queue and eventually connected with an agent who sent a remote assist invitation for the remote support tool Zoho Assist,” the researchers explained.

“Once the victim connected to the session, the attacker took control of their keyboard and mouse, enabled clipboard access, and blanked out the screen to hide their actions.”

The threat actor has been known to install remote support software Syncro for persistence and open source file management tools Rclone or WinSCP for data exfiltration.

“In cases where the victim did not have administrative rights to their operating system, the attacker skipped installing software to establish persistence. Attackers instead downloaded and executed WinSCP Portable, which does not require administrative privileges and is able to run within the user’s security context,” the researchers added.

After rooting through the system and exfiltrating sensitive data, the attacker sends an extortion email, threatening to sell or leak the data if they don’t get paid.

Corporate targets

The activities of the Luna Moth extortion group have been previously documented by Sygnia’s IR team, and their tactics are evolving.

According to the Unit 42 researchers, the group has started by targeting individuals at SMBs in the legal industry but has now expanded their victim pool to include individuals at larger businesses in the retail sector. They expect further expansion on that front and, in general, other threat actors to mount callback phishing campaigns, since this type of scheme is relatively cheap to pull off and the extorted amounts can be considerable.

“Organizations in currently targeted industries should be particularly vigilant to avoid becoming victims,” they noted, but also pointed out that all organizations should invest in:

  • Cybersecurity awareness training programs with a particular focus on unexpected invoices, as well as requests to establish a phone call or to install software
  • Cybersecurity tools designed to detect and prevent anomalous activity (e.g., installing unrecognized software or exfiltrating sensitive data).

Don't miss