Monthly Archives: March 2020

COVID-19 Phishing Emails

Beware of COVID-19 Phishing Emails

Several new COVID-19 phishing email campaigns have been detected over the past few days that are exploiting fear about the novel coronavirus pandemic to deliver computer viruses and steal sensitive information.

People are naturally worried about getting infected with the real virus especially with the high fatality rate, so emails related to COVID-19 are likely to be opened.

Some of the phishing emails that have been intercepted are easy to identify as malicious. They are poorly written with spelling mistakes and grammatical errors, but some campaigns have been expertly crafted and are highly convincing and are likely to catch out many people.

The first COVID-19 phishing campaigns were detected in January and the number has steadily grown over the past few weeks. Many different threat groups are now using COVID-19 phishing lures to fool the unwary into disclosing credentials, visiting malicious links, or downloading malware.

The World Health Organization (WHO) has issued a warning after several phishing campaigns were detected that impersonated WHO. The emails claimed to provide essential information about cases in the local area along with advice on how to avoid infection. One of the most recently detected campaigns claimed to provide “Coronavirus Updates” with the emails containing a ZIP file attachment that appeared to be a PDF file – MYHEALTH.PDF. However, the file was actually an executable file – MYHEALTH.exe. If the file was opened, it triggered the download of GULoader, which in turn downloads Formbook malware from Google Drive. Another similar campaign included a Word attachment that downloaded the TrickBot Trojan, which is being used to deliver Ryuk ransomware as a secondary payload.

The Centers for Disease Control and prevention is also being impersonated. One campaign claims the novel coronavirus had become an airborne threat and warns of new cases in the local area. The emails appear to have been sent from a legitimate CDC email account – CDC-Covid19[@]cdc.gov. The emails include an attachment titled “Safety Precautions” which appears to be an Excel spreadsheet, but it actually a .exe executable file. Double clicking on the file attachment triggers the download of a banking Trojan.

Email and text-based phishing campaigns are targeting UK taxpayers and impersonate HM Revenue and Customs (HMRC). The emails include a legitimate HMRC logo and advise the recipients about a new COVID-19 tax refund program. According the emails, the refund program was set up in cooperation with National Insurance and National Health Services and allows taxpayers to claim back tax to help deal with the coronavirus pandemic. In order to receive the refund, the user is told they must supply their name, address, mother’s maiden name and their bank card number.

In the past few days, a web-based malware distribution campaign has been identified. Several websites are now displaying world maps and dashboards that allow people to track the spread of the virus and find out about the location of new cases. People are naturally concerned about cases in their local area, and the website maps are attracting a lot of visitors.

Shai Alfasi, a security researcher at Reason Labs, discovered several websites using fake versions of maps and dashboards. The websites prompt users to download an application that allows them to track infections in real-time. The application is an executable file that delivers the AZORult information stealer.

With COVID-19 infections increasing and showing no sign of slowing, COVID-19 phishing campaigns are likely to continue. Organizations should raise awareness of the threat of COVID-19 phishing attacks with their employees and ensure appropriate technical solutions are implemented to block web and email-based attacks.

corona virus

Victims of coronavirus scams leave UK victims seriously out of pocket

Victims of scams related to the coronavirus outbreak lost nearly €1 million in February, according to the UK’s fraud and cybercrime centre.

In a warning to the public, Action Fraud UK said fraudsters conned people out of more than £800,000 (€918,000) in the month, using the COVID-19 crisis to concoct phishing email scams.

It said since the start of February, 21 cases of fraud have been identified where coronavirus was mentioned.

Ten were reported by victims who were trying to buy facemasks from fraudulent sellers, with one victim losing more than £15,000 on a purchase of masks which was never delivered.

Others were victims of coronavirus-themed phishing emails, where people are tricked into opening malicious attachments or divulging login information.

Some fraudsters have been pretending to be from research organisations associated with the Center for Disease Control and Prevention (CDC) and the World Health Organisation (WHO).

WHO has itself warned people of malicious emails appearing to be from the organisation.

“WHO is aware of suspicious email messages attempting to take advantage of the 2019 novel coronavirus emergency,” it says on its website, warning the emails ask for information such as usernames and passwords, or include malicious links or attachments.

How to steer clear of online scams

  • Don’t click on links or attachments in suspicious emails, says Action Fraud
  • Don’t reveal any personal or financial details during unsolicited messages or calls
  • WHO says you can verify the sender by checking the email address – an official WHO email will be sent only from an address ending in @who.int
  • Don’t feel under pressure to reveal any information – cybercriminals use emergencies such as coronavirus to scare people into making rash decisions
  • The WHO also advises, if you think you may have given personal information mistakenly to a scammer, change your credentials immediately