Criminals are using call centers to spread ransomware in a crafty scheme

You might want to think twice about canceling that subscription.
Two phone boxes in London. (Photo by John Keeble/Getty Images)

An ongoing ransomware campaign that employs phony call centers to trick victims into downloading malware may be more dangerous than previously thought, Microsoft researchers say.

Because the malware isn’t in a link or document within the email itself, the scam helps attackers bypass some phishing and malware detecting services, Microsoft researchers noted in a report Thursday.

When the company first examined it in May, the scheme features attackers posing as subscription service providers who lure victims onto the phone to cancel a non-existent subscription. Once there, the call center worker guides them to download malware onto their computer.

Researchers now say that the malware not only allows hackers a one-time backdoor into the device, as previously thought, but to also remotely control the affected system. That means it’s even easier for them to sweep for files and find high-end user credentials that could be used to drop ransomware such as Ryuk or Conti within the first 48 hours of infiltration.


The campaign, “BazaCall” (or BazarCall), was first noted by researchers at Palo Alto Networks in February.

Criminals lure in targets with an email suggesting that a subscription for a service, such as a gym membership, is expiring. Recent campaigns have posed as confirmation receipts for software licenses.

A traditional malware campaign would likely instruct users to click open a link within the email or download an attachment. That’s where BazaCall differs. Each email contains a unique ID number and instructs the user to call a number that will connect them with an actual human.

The call agent instructs them to visit a legitimate-looking website and tells them to download a file from their account page to cancel their subscription. Once the user enables macros on the downloaded document, the malware is delivered from a Cobalt Strike beacon. Using the tool, which was designed for legitimate purposes, can help mask malicious activity.

While such a campaign requires a little more social-engineering know-how on the part of hackers, the delivery method makes it more difficult for spam and phishing email detection software to intervene, Microsoft said. That could make the method a powerful tool for ransomware actors trying to get around increased scrutiny.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts