AUGUST 10, 2023
In the course of performing a postmortem investigation of an infected computer, Sophos X-Ops discovered that the attack began with an innocent-sounding phone call. The caller prompted an employee of a Switzerland-based organization to initiate a complex attack chain that compromised the employee’s computer.
Sophos Incident Response analysts found that the attackers may have targeted the call recipient personally, and crafted an elaborate social engineering attack chain that resulted in the attackers taking control of the target’s computer, briefly, before the target literally pulled the (ethernet) plug on the compromised computer. The alert employee sensed something was wrong, and disconnected the infected computer from the network, but not before the malicious payload was already at work.
The caller, whose voice sounded like a middle-aged man, told the employee that he was a delivery driver with an urgent package destined for one of the company locations, but that nobody was there to receive the package, and he asked for a new delivery address at the employee’s office location. In order to redeliver the package, he continued, the employee would have to read aloud a code the shipping company would email.
While the caller was still on the phone with the employee, the employee received an email message, purportedly from the caller’s shipping company. The email message shown below (written in French) said that a PDF file attached to the message contained the code the delivery driver was waiting to hear before they could bring the package to the employee’s location.
Attacker combines phone, email lures into believable, complex attack chain
quoted from SOPHOS NEWS