Cyber criminals dangle coronavirus-themed lures

Proofpoint Inc.
Friday, 03 April, 2020

Cyber criminals have expanded their coronavirus-themed attacks and are now preying on victims by playing on various conspiracy theories.

As Australia continues to work to contain the COVID-19 pandemic, threat actors are also working overtime using coronavirus-themed lures to convince people to click. To date, the cumulative global volume of coronavirus-related email lures represents the greatest collection of attack types — united by a single theme — that has been seen in years, if not ever.

Currently, attackers are using coronavirus themes for nearly all types of attacks, including (but not limited to) business email compromise (BEC), credential phishing, malware, and spam email campaigns. Threat actors are also actively abusing the names and logos of many companies and organisations within these campaigns in an attempt to manipulate recipients. Of particular note is the spoofing and brand abuse of national and international health organisations around the world, including the World Health Organization (WHO), the United States Centers for Disease Control (CDC), and Canadian and Australian national health organisations.

The targeting of these attacks has ranged from extremely broad to narrowly focused and campaign volumes have fluctuated between small and large. Attribution includes both well-known and unknown threat actors. Some of the well-known threat actors include TA505 and TA542. And while all industries have been targeted, Proofpoint has seen specific targeting of healthcare, education, manufacturing, media, advertising and hospitality organisations in certain campaigns.

Proofpoint expects attackers will continue to leverage coronavirus themes in their attacks for some time to come.

Campaign examples

Below is an example showing how threat actors are using coronavirus fears, and impersonating brands, to convince users to click. The message below claims to be from Australia HealthCare, a fake but plausible name for a national healthcare organisation and promises Coronavirus prevention tips. If a user were to click the link, they would be taken to a fake Adobe website to enter credentials. Below is an example of the lure:

An example of a fake COVID-19 email

For a clearer image, click here.

Threat actors also launched a campaign using an email lure that stokes conspiracy theory fears, that there is a cure for coronavirus, that isn’t being shared. One email claimed there is a cure being hidden by government entities because the virus is being used as a bioweapon. It then urges the recipient to receive further information on the ‘cure’ by clicking on the link provided in the email.

If the recipient clicks on the link, they are taken to a fake DocuSign website where they’re told they need to enter credentials to get the information.

Attackers are also subverting internal businesses’ credibility in their attacks. Proofpoint has seen a campaign that uses a coronavirus-themed email that is designed to look like an internal email from the company’s president to all employees.

This email is extremely well-crafted and lists the business’ president’s correct name. The messages contained a Microsoft Word attachment with an embedded URL that leads to a fake Microsoft Office website to enter credentials. Once the credentials are entered, the user is then redirected to the legitimate World Health Organization coronavirus information site, making the phishing transaction seem legitimate.

Overall, Proofpoint anticipates attackers will continue to leverage COVID-19 as it develops further worldwide and will also likely pursue potential targets who are now being asked to work from home. Its threat research team recommends users stay vigilant for malicious emails regarding remote access and fake corporate websites, all aimed at ensnaring teleworkers. When working remotely, be sure to use a secure Wi-Fi connection, protect your VPN log-in, use strong passwords, think twice about clicking on links and confirm all transactions are authentic.