“Stay Alert, Stay Secure: Combat TOAD Attacks with Knowledge and Technology”
Exploring the Rise of Callback Phishing and TOAD Attacks: Strategies for Prevention and Response
In the shadowy corners of the internet, a new threat looms large, casting a long and ominous shadow over global cybersecurity landscapes. Recently, there has been a significant uptick in hackers employing a cunning strategy known as callback phishing. This method, particularly through its subset known as telephone-oriented attack delivery (TOAD), begins innocuously with a phishing email that masquerades as being from a trustworthy company. The email typically urges the recipient to dial a phone number provided within the message. Once this number is called, the person on the other end—far from being a helpful customer service agent—is actually an attacker skilled in the dark arts of social engineering.
These attackers coax unsuspecting victims into installing what appears to be legitimate remote control software but is actually remote access malware. This software becomes a Trojan horse, opening gates for attackers to infiltrate networks and deploy ransomware. The sophistication of these operations is chilling, with ransomware operators continually refining their methods and even conducting underground recruitment drives to find TOAD specialists. These specialists are prized for their ability to mimic genuine customer support agents, making them key players in the ransomware ecosystem.
According to the alarming statistics in Proofpoint’s 2024 State of the Phish report, over 10 million TOAD attacks occur monthly, affecting 67% of businesses worldwide in 2023 alone. The roots of this menacing trend can be traced back to late 2020 and early 2021 with the emergence of BazarCall campaigns, which disseminated BazarLoader malware. The success of these campaigns has not only inspired similar tactics among other cybercriminal groups but has also led to an increase in mobile malware operations aimed at stealing payments and sensitive data.
The underground market for these nefarious services is booming, as evidenced by Intel471’s blog which notes an increase in callback phishing operations distributing malware like BokBot. Between January 2023 and August 2024, around 60 actors were reported to provide underground call services, with offers increasing significantly over time. This burgeoning market highlights a disturbing trend: the professionalization and commodification of cybercrime.
As we moved into 2024, vishing-related attacks surged, driven by various actors eager to capitalize on TOAD techniques to expand their criminal enterprises. In an unsettling development, researchers noted that ransomware groups were actively seeking callers for ransomware-focused attacks in early 2024. A new participant on the XSS forum was even recruiting English-speaking callers in July 2024 to target organizations in the US and Canada, providing them with sophisticated tools including Clownfish voice-changing software and “Fake Caller ID” spoofing services.
This escalation is not just a statistic; it represents a real and present danger to organizations worldwide. It underscores the urgent need for robust defensive strategies. Employees must be trained to recognize, discard, and report phishing attempts that exhibit any signs of suspiciousness, such as unusual requests or grammatical errors. It is crucial that sensitive information is never disclosed over the phone, especially when prompted by an unsolicited email.
Moreover, organizations should invest in anti-spoofing and email authentication technologies like SPF, DKIM, and DMARC to harden their defenses against these sophisticated attacks. Educating users on recognizing TOAD social-engineering techniques is equally important as technological solutions.
As we navigate this troubling rise in callback phishing and TOAD attacks, it is imperative that we remain vigilant and proactive. The cost of complacency is simply too high, with potential consequences that could reverberate through every level of our digital lives.
