BazarCaller – the malware gang that talks you into infecting yourself


You’re almost certainly familiar with vishing, a phone-based scam in which cybercriminals leave messages on your voicemail in the hope that you’ll call them back later to find out what’s going on.

In fact, if you have a long-standing phone number, like we do, you may well get more of these scam calls (perhaps even many more of them) than genuine calls, so you’ll know the sort of angle they take, which often goes along these lines:

[Synthetic voice] Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of dollars]. To cancel your subscription or to discuss this renewal, press 1 now.

Sometimes, they’ll read out the number to call them back on, to re-iterate not only that it matches the number that shows up in your call history, but also that it’s a local number, right there in your own town or country.

The crooks do this to “prove” that caller is local too, rather than sitting overseas in some scammy boiler-room call centre, far from the reach of law enforcement and the regulators in your part of the world.

Unfortunately, the number that shows up in your call history (known by various names around the world, including Caller ID and calling line identification) doesn’t tell you where the caller is actually located.

Firstly, Caller ID is easy to spoof, so crooks can disguise their real number, or make it look as though they’re calling from somewhere you trust, such as your bank.

Secondly, if it’s not spoofed, Caller ID doesn’t tell you where a returned call will ultimately end up, but merely reports the last known phone number that it passed through on the way to you.

If a call centre (or a cybercriminal) calls you from overseas using a voice-over-IP (VoIP) service, where the call is transmitted cheaply over the internet until it reaches your country and only then redirected into the phone network, you will see a local number in your call history, but it won’t actually be the caller’s ID. Always keep in mind that the name Caller ID is misleading because it doesn’t identify the person who called you at all. Even calling line identification is an inaccurate name, given that the number that shows up can be modified and therefore doesn’t reliably identify the calling line, either.

Call us back

So, Caller ID can’t be trusted, and unexpected phone calls, like unwanted emails, could by-and-large have come from anyone.

That’s why many of us dump all our calls to voicemail these days, and respond only to the likely ones.

With this in mind, you may be wondering why crooks still bother running phone-based scams, especially when these require human interaction each and every time someone returns a call, unlike web-based scams, which largely look after themselves.

The answer, of course, is that variety is the spice of life, or, sadly, that variation is one of the secrets of scamming.

Sometimes, simply being different from what everyone has been told to watch out for is enough to get victims to let their guard down.

The other advantage, for the crooks, of running what you might call human-led scams instead of pure online ones is that the scammers in the call centre only ever deal with people who are already concerned enough to call back of their own accord.

In other words, call-back scamming may be a more time-consuming way of interacting with each potential victim, but:

  • Many people feel comfortable about carrying out risky computer behaviours such as installing unknown software if there is an “IT helpdesk” person talking to them at the same time.
  • Human scammers can adapt and respond in real time to objections or fears that potential victims might raise, thus keeping those callers on the hook for much longer than if they were left to their own devices.

Call us first

As you probably know, there’s a fascinating world of hybrid scamming that mixes together email-based and phone-based treachery.

Technical support scammers – those lowlifes who find fake viruses on your computer and then charge you real money for pretending to remove them – have been doing this for years.

They know that potential victims have been taught “not to click through” and to “watch out for dodgy popup links”, so many scams these days invite you to call a local phone number instead of clicking a link or opening an attachment.

At first, this feels as though it should be safer, because you’re not immediately exposing your browser or your computer to a site or a file that you aren’t sure of.

There’s always a chance, you might think, to make your own judgment of the “helpdesk expert” at the other end…

…before typing in the link they just gave you, or installing the software they just recommended.

Don’t click, call us instead

Unfortunately, as we wrote earlier this year, it’s not just the technical support scammers using this “don’t click a dangerous link, call this handy phone number instead” trick.

In April 2021, we warned of a malware crew using a similar trick to talk you into infecting yourself with their malware, known as BazarLoader (also known as BazaLoader), thus giving them a foothold on your computer to mount pretty much any sort of cyberattack they want:

Rather than deciding in advance whether they’re going to hit you with a keylogger, a data stealer or a ransomware attack, the crooks who talk to you on the phone helpfully explain how to open a booby-trapped Office file that they deliver to you.

By tricking you into bypassing the security checks that would otherwise keep you safe, they implant a general-purpose bot or zombie program onto your computer that can:

  • Download and run another programs, disguising them as unexceptionable apps such as Notepad or Explorer.
  • Download and run DLLs, Windows software modules that many people think of as safer than EXE files because they aren’t standalone programs that you can launch as apps in their own right.
  • Download and run a batch file or PowerShell script. PowerShell is widely used by system administrators these days because it makes it easy to create full-blown Windows programs in the form of plain text files.
  • Get rid of itself from disk and exit. By cleaning up their malware tools after an attack, the crooks make it harder for you to figure out what happened and thus make it tricky to know what to look out for in future.

BazarLoader is back

We’re writing this article now as a followup to a reminder that came from Microsoft itself last week, with the self-explanatory title:

BazaCall: Phony call centers lead to exfiltration and ransomware

As you can imagine, Microsoft takes this sort of attack at least as personally as anyone else, not least because the primary malware infiltration vehicle that the BazarLoader/BazarCaller crooks use is to talk you into infecting yourself via some sort of Microsoft Office file.

Ironically, the crooks use the pretence that the file is “protected” and therefore needs to be handled in a special way – something that a crooked “helpdesk support team member” will glibly and happily tell you how to do.

Of course, the “special way” of handling the “protected” file, shown above as ENABLE EDITING and ENABLE CONTENT, involves turning off Microsoft’s default security settings, thus allowing malware embedded in the Office file to run, rather than blocking it.

In the latest round of attacks, you are urged via email by the BazarCaller scammers to phone them up if you want to “resolve” a “purchase” that was just debited to your account, such as:

  • Converting a software trial into an auto-billed “premium” paid package. (Call for details, or to cancel if this is an error, etc.)
  • Joining a fitness program you showed an interest in. (Call with included personal ID for help or details, etc.)
  • Autorenewing a service membership you’re already part of. (Call if you want to cancel, etc.)

The crooks know that you’ll know that you didn’t intend to make or authorise the purchase they’re warning you about.

They’re also hoping that you’ll want to check how the “mistake” happened, and get the charge removed from your card.

Don’t do it!

What to do?

  • Never assume that calling a phone number is safer than clicking on a web link. Either way could put you directly into contact with cybercrooks.
  • Never rely on contact details given to you by an outsider. If you are concerned about unauthorised payments taken off your card, contact your bank or card provider directly for advice. Always use the phone number or website on the back of your physical card, or printed on documentation that’s already in your possession.
  • Never change a security setting on your computer because someone you don’t know told you to. If you’re wondering whether a link is safe to download, or an Office file is safe to open, find someone you already know and trust (e.g. a member of your own IT team from work, or a trusted friend in your own circle) and ask them directly.
  • Never feel compelled to call a number back, whether you are being threatened or flattered. If you have any vulnerable friends or family whom you think might easily be misled on the phone, make sure they know to call you first.
  • Listen to our special podcast episode on social engineering. Phone scammers can be much more persuasive than messages received via email or the web. Phone scammers adapt their lies and treachery line by line as they go along, and typically have the “gift of the gab” to explain away any concerns you might have along the way.


Listen to our special-episode podcast with Rachel Tobac, a renowned social engineering expert, and give yourself the confidence and understanding not to get sucked into saying or doing the wrong thing online:

Remember that gangs like the BazarCaller crew talk people into infecting themselves with malware, including ransomware, for a living.

Cybercrooks of this sort typically have a lot more practice in telling you what you want to hear, the way you want to hear it, than you have in picking out which bits of what they just said are a pack of lies.

If in doubt, don’t give it out!

Products You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *