Hackers turn to phone calls to infect PCs with malware — what you need to know

Four call-center workers using laptops.
(Image credit: FrameStockFootages/Shutterstock)

The newest method of infecting your computer is remarkably old-fashioned: It uses a telephone call.

Online researchers are documenting a new malware campaign they've dubbed "BazarCall." One of its primary malware "payloads" is the BazarLoader remote-access Trojan, which can give a hacker full control over your PC and be used to install more malware.

The attack starts with an email notifying you that a free trial subscription for a medical service that you've supposedly signed up for is about to run out, and your credit card will be charged in a few days — at $90 a month or some other ridiculous rate.

The subject line may read "Thank you for using your free trial," "Do you want to extend your free period," or something similar, according to The Record and Bleeping Computer. A security researcher calling themselves "Execute Malware" has posted a list of possible BazarCall subject lines here

Naturally, you're wondering what the hell this email is, but you're pretty sure you don't want to be paying for something you never agreed to. Fortunately, the message provides a phone number you can call to cancel the subscription, plus a subscriber ID number that you can refer to during the call.

Is this a phishing email?

You hesitate. You've heard of, and maybe even seen, phishing emails that want you to click on a link, but then take you a site that asks for your password or tries to install something on your computer. 

But there's no link in this email. It seems safe. And what harm can come from calling a phone number?

So you call. You're placed on hold. You wait for a couple of minutes. And then a helpful call-center operator — he or she sounds suspiciously like someone who'd be part of a tech-support scam — comes on the line and listens to your questions about the email. 

The operator asks for the subscriber ID mentioned in the email.

Now here's the key thing. That subscriber ID is very important because it lets the crooks know who you are — and many of their targets are people who work in specific companies.

"They will be able to identify the company that got that email when you give them a valid customer [ID] number on the phone," Binary Defense security expert Randy Pargman told Bleeping Computer. "But if you give them a wrong number they will just tell you that they canceled your order and it’s all good without sending you to the website."

Here's a YouTube video illustrating the entire process. The interaction with the call-center operator starts about 2 minutes and 45 seconds in.

We're sorry, just fill out this form...

Anyway, the customer-service rep puts you back on hold for a bit to check your subscriber ID, then comes back to tell you who signed up and provided a credit card for this subscription — and it's someone who's not you. There must be a mistake.

The friendly customer-support person tells you that because this concerns a medical service, you've got to fill out some forms online to cancel the subscription. He sends you to a professional-looking website, where you can continue the cancellation process.

There are at least five possible websites, again listed here. The one we saw all looked the same, but someone took a lot of effort to make each site look decent. The websites have FAQs, privacy statements, terms of use and even contact information listing street addresses of Los Angeles office towers and southern California phone numbers. 

We called a couple of the listed phone numbers but got nowhere. We also discovered that all five websites we visited have domains that were registered last week using the same alias and the same Russian email address.

... but you have to download it first

Back on the customer-support call, the rep directs you to the site's signup page, where you can click Unsubscribe. However, the Unsubscribe field doesn't ask for your name or your email address. Instead, it again asks for the subscription ID number found in the original email notification you received. 

Click Submit on the Unsubscribe dialogue box, and your browser prompts you to allow download of a Microsoft Excel spreadsheet or Word document. The customer-support rep says you must download, open and digitally "sign" this document to cancel the subscription.

Now, Microsoft Office files downloaded from the internet are so dangerous that Windows itself "sandboxes" them so that they can't run macros — little mini-programs — without your permission. 

But the customer-support rep you have on the phone insists that you click the yellow bar that appears across the top of this Excel or Word file to enable macros so that you can "sign" the document.

Bingo, you're infected

And that's the kiss of death. As soon as you enable macros, the Office file installs a "dropper," a form of malware that reaches out to the internet and downloads and installs more malware. 

In this case, the malware may be the aforementioned BazarLoader or the even more fearsome TrickBot. Once either of these is up and running on your machine, the crooks behind it can install coin miners, botnet software, or even ransomware on your device. 

If your machine is part of a company network, the malware will spread quickly throughout the company.

But you're not aware of this. For all you know, you're just filling out a form to cancel an unwanted and rather expensive subscription. When you're done, the call-center operator cheerily tells you that you've been successfully unsubscribed and to have a pleasant day.

How can you avoid being a victim of this scam? First, be sure to have some of the best antivirus software installed on your machine. Second, be very wary of any scheme that involves downloading Office files and then enabling macros. That's often a recipe for disaster.  

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.