SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Email attacks up 667% following rise of COVID-19 worldwide
Tue, 31st Mar 2020
FYI, this story is more than a year old

Cyber criminals are taking advantage of greater vulnerabilities around the COVID-19 pandemic, with email attacks up 667%, according to new findings from Barracuda, the provider of cloud-enabled security solutions.

The company's Threat Spotlight report focuses on COVID-19 related phishing and highlights the steady increase in COVID-19 related email attacks since January, with a significant spike taking place at the end of February and into March.

According to the report, between March 1 and March 23, Barracuda Sentinel detected 467,825 spear phishing email attacks, and 9,116 of those detections were related to COVID-19, representing about 2% of attacks.

In comparison, a total of 1,188 coronavirus-related email attacks were detected in February, and just 137 were detected in January.

The attacks can be categorised into three main types: scamming, brand impersonation and business email compromise.

Of the COVID-19 related attacks detected by Barracuda Sentinel through March 23, 54% were scams, 34% were brand impersonation attacks, 11% were blackmail, and 1% are business email compromise.

Barracuda says phishing attacks using COVID-19 as a hook are becoming more sophisticated. In the past few days, Barracuda researchers have seen a significant number of blackmail attacks appearing and a few instances of conversation hijacking.

In comparison, until just a few days ago attacks were primarily scamming. Barracuda states they expect to see this trend toward more sophisticated attacks continue.

The goal of the attacks ranged from distributing malware to stealing credentials, and financial gain. One new type of ransomware Barracuda's systems detected took on the COVID-19 namesake and called itself CoronaVirus.

Barracuda states that skilled attackers leverage emotions to elicit response to their phishing attempts, such as the ongoing sextortion campaigns, which rely on embarrassment and fear to scam people out of money.

With the fear, uncertainty and sympathy stemming from the COVID-19 situation, attackers have found some key emotions to leverage, Barracuda states.

For example, one blackmail attack claimed to have access to personal information about the victim, know their whereabouts, and threatened to infect the victim and their family with COVID-19 unless a ransom was paid.

Barracuda Sentinel detected this particular attack 1,008 times over the span of two days.

As for scams, the majority detected by Barracuda Sentinel were looking to sell coronavirus cures or face masks, or were asking for investments in fake companies that claimed to be developing vaccines. Another popular scam was donation requests for fake charities.

One example, detected by Barracuda claims to be from the World Health Community (which doesn't exist but may be trying to take advantage of similarity to the World Health Organisation) and asks for donations to a Bitcoin wallet provided in the email.

Furthermore, a variety of common malware is being distributed through COVID-19 related phishing, especially modular variants that allow attackers to deploy different payload modules through the same malware, Barracuda states.

The first malware reported utilising the virus was Emotet, a popular banking Trojan, which went modular last year.

IBM X-Force discovered Emotet being distributed in Japanese emails claiming to be from a disability welfare provider.

The phishing emails contained a document which downloaded and installed Emotet when macros were enabled, a current common practice for malware distribution.

LokiBot is another modular malware, which aims to steal login credentials and data and has been distributed in at least two different virus related phishing campaigns that Comodo has tracked two campaigns, Barracuda states.

One campaign used the premise of attached invoices, which contained LokiBot, but added an apology for the delay in sending the invoice due to COVID-19.

The other campaign claimed to be a news update and invited readers to ‘just do this one thing', which contained a link to the malware.

Barracuda systems have seen multiple examples of emails using the invoice premise, which was detected more than 3,700 times.

Other notable information stealers capitalszing on COVID-19 include AzorUlt, which is being distributed from a phishing site claiming to be a map of the outbreaks, and TrickBot, which is circulating among Italian phishing emails.

Finally, criminals are also targeting credentials, including sending out information-stealing malware to harvest credential information, and launching phishing attacks with links to fake login pages using COVID-19 as a lure.

One example that Barracuda systems detected claims to be from the CDC and attempts to steal Microsoft Exchange credentials when the malicious link is clicked.

A wide variety of email login pages are commonly faked by attackers, targeting the email portal users are accustomed to when this mail server information can be scraped by attackers.

Other login pages are more generic or offer multiple options for provider, faking each login page, Barracuda states.

What can you do to protect yourself?

The company also offers solutions to help internet users protect themselves, especially when working and studying remotely during a time of heightened emotion and stress for some.

Barracuda states, while phishing emails leveraging coronavirus are new, the same precautions for email security apply.

According to the company, people should be wary of any emails attempting to get users to open attachments or click links.

Anti-malware and anti-phishing solutions can be especially helpful to prevent malicious emails and payloads from reaching intended recipients, but even with such protections in place caution should always be used since no solution catches everything.

Furthermore, watch out for any communications claiming to be from sources not normally engaged with as these are likely phishing attempts.

While receiving COVID-19 related emails from legitimate distribution lists is common, emails from organisations not regularly beard from should be scrutinised.

For example, the CDC would not send emails to anyone who doesn't regularly receive emails from them.

However, caution must also be exercised with emails from organisations regularly communicated with, as brand impersonation is quite prevalent in COVID-19 related email attacks, Barracuda states, especially in the healthcare industry.

When looking to give back, find credible charities and donate directly, the company states. A common tactic for COVID-19 related scams is asking for donations to help those affected by the pandemic.

To avoid falling victim to one of these attacks, don't respond to email requests for donations. Instead, donate directly with the charity or organisation. It's also highly unlikely that any legitimate charities are taking donations through Bitcoin wallets, so this is an immediate red flag.