Luna Moth Phishing Scam: IT Support Turns into $800,000 in Ransom Demands

You have read the article about “latest phishing scams” and thought, “That won’t happen to us.” We’ve got training, spam filters, and good old common sense. Well, guess what? A stealthy cybercrime group is banking on that exact mindset.

According to The Hacker News, the FBI just issued a warning that should make every law firm pay attention. A threat group called Luna Moth, also known as Silent Ransom Group, Chatty Spider, or UNC3753, has been quietly targeting U.S. law firms with a crafty, low-tech, high-impact campaign. Their goal is to gain remote access, steal sensitive data, and extort firms for ransom without ever dropping malware.

What is the Luna Moth Attack?

Since 2022, Luna Moth has been running callback phishing campaigns, which are emails pretending to be from subscription services like antivirus tools or cloud apps. They claim you’ve been charged, usually under $50, and prompt you to call a “support” number to cancel.

Step-by-Step Breakdown of the Attack:

1. Deliver Phishing Email: The victim receives a credible-looking email about an unknown subscription charge (often less than about $1,000). The email includes a PDF invoice.
2. Callback Trap: The email links directly to a phone number for the user to call if the victim refuses the charge. Now the trap is laid.
3. Identify as IT Support: When the victim calls, the attacker, posing as Customer Service/IT, manipulates the victim into “joining” a remote access service like Zoho Assist.
4. Remote Access & Data Theft: After accessing their files, the attacker can download files using a variety of tools like Rclone or WinSCP.
5. Demand Extortion Payment: Victims will receive an extortion email demanding monetary payment (as much as $800,000) and threatening to release data to the public.

But as of March 2025, they’ve upped their game. Now, they’re calling employees directly and pretending to be from your company’s IT team.

“They say it’s routine maintenance,” the FBI explains in its latest alert. “They guide employees into installing remote access software, and just like that, the breach begins.”

Who’s Being Targeted?

Mainly U.S. law firms. But it’s spreading.

• Legal and financial companies (especially those handling sensitive records)
• Individual employees who receive the phishing email or get the call
• IT teams who aren’t expecting an internal breach like this

Why Law Firms?

According to a report by EclecticIQ, Luna Moth shifted its focus to law firms because of the type of data they hold: high-value IP, financial details, and confidential legal strategies. Law firms are under immense pressure to keep things discreet. That makes them more likely to pay up quickly.

Once they got breached, it affected them in various ways.

• Sensitive data gone: Legal documents, financial records, internal IP—all swiped
• Massive financial exposure: We’re talking ransom demands of up to $800,000.
• Employee stress: Imagine being the one who picked up that call.
• Reputation damage: Clients don’t exactly love it when their info is caught in a breach.
• Compliance nightmares: Data regulations don’t take kindly to leaks, even accidental ones.

What Made This Phishing Effective?

Honestly? Because it all feels real. Most teams are not trained for that specific type of trick.

• These emails look totally innocuous. No links. No attachments.
• These phone calls for support sound just like the ‘real deal.’
• The tools that are being asked to be installed are exactly what your IT team is likely using already anyway.
• People panic as soon as you mention money; even $50 is enough to act.

This isn’t some flaw in your firewall. It’s just people being people. If someone called your team right now and said, “We’re from IT. There’s an urgent issue with your account. Would your employees know what to do?

What Can Your Enterprise Do Right Now?

Let’s keep this simple. Here’s what you can do today:

1. Train Your Employees: Make sure your team knows what callback phishing sounds like. Role-play it. Quiz them. Repeat.
2. Create a “How We Contact You” Policy: Set up a clear protocol for how your IT team reaches out. “We’ll never ask you to install software over the phone” should be the default.
3. Disable Unnecessary Admin Rights: If a device doesn’t need admin rights, don’t give them. This reduces what attackers can do once inside.
4. Watch for Remote Tool Downloads: Flag any installs of WinSCP, Rclone, or new RMM tools that aren’t pre-approved.
5. Back Up Like It’s Your Job: Maintain encrypted, offline backups of your most sensitive data. Test your restore process.
6. Turn on MFA Everywhere: And not just for logins. Use it for file access, internal apps, and VPNs.

Final Thought

Luna Moth doesn’t use malware. They use people. Luna Moth is a wake-up call. Not just for law firms, but for any organization where trust can be exploited. Let’s stop treating cybersecurity like it’s only about tech. It’s also about people, how they think, how they react, and what they trust. And trust us, the attackers know that.