Coronavirus and phishing attacks

Coronavirus Is Infectious For People And Their Technology 

Last updated on March 12, 2020 Comments: 0
Amidst overwhelming news coverage surrounding the Coronavirus, it now comes as a threat not only to our health but also to our cybersecurity.

Phishing attacks are looking to exploit any public fears regarding the virus.

Online fraud is on the increase with billions lost per year as a consequence. “Of the 3 million identity theft and fraud reports received in 2018, 1.4 million were fraud-related, and 25 percent of those cases reported money was lost. In 2018, consumers reported losing about $1.48 billion related to fraud complaints, an increase of $406 million from 2017.”

How is the Coronavirus Phishing Attack Carried Out?

Attackers send emails appearing to be from legitimate health organizations with the latest facts about the coronavirus. The email you receive will likely ask you to open an attachment in order to view the latest statistics. According to a malware analyst at Kaspersky, Anton Ivanov,

“The coronavirus, which is being widely discussed as a major news story, has already been used as bait by cybercriminals. Now, the number of users whose devices have had malicious files named after the coronavirus on them has risen to 403 in 2020, with a total of 2,673 detections and 513 unique files distributed. While the numbers rose significantly compared to the initial statistics we have shared, this threat is still rather minimal.”

Worryingly, the attachment has often led to the installation of the AZORult information stealer, which allows the user to have complete owner anonymity as well as make it very difficult to block the command and control server. On the other hand, the attachments found in these emails have contained Emotet, which has been used to install malicious code as well as search the victims’ computer for any contact information.

There have even been some botnets used to install ransomware with Emotet using the infected operating system to ensure than additional phishing emails are being sent out with the goal of growing the botnet.

“In late January, IBM X-Force researchers discovered a first wave of phishing scams that targeted some regions in Japan to spread the Emotet Trojan, as well as other malware, by using malicious messages that appear to contain information about coronavirus.”

One email even reported that the coronavirus had just been discovered in Osaka, while another spoke of the Gifu region. The attack is pulled off because the cybercriminals use very specific warnings tailored to that particular region so that the victim is more likely to click on the attachment. Often, those emails end with a real postal address as well as a phone and fax number, making it seem even more legitimate.

Other phishing security campaigns have been sent out from online criminals pretending to be from the World Health Organization (WHO). All users have to do is click on the link provided within the email and you will be asked to enter your username and password that is connected to your email address. Those who enter their details are actually sending out details to their attackers.

Security researcher Tatyana Scherbakova, a security researcher at Kaspersky elaborates,

“We were detecting emails offering products such as masks leading to phishing websites or fake offerings of vaccines since the COVID-16 epidemic started. Yet lately we saw a more elaborate spam campaigns that mimic the World Health Organization. Cybercriminals recognize the important role WHO has in providing trustworthy information about the coronavirus. Users receive emails allegedly from WHO, which supposedly offer information about safety measures to be taken to avoid infection. Once a user clicks on the link embedded in the email, they are redirected to a phishing website and prompted to share personal information, which ends up in the hands of cybercriminals. This scam looks more realistic than other examples we have seen lately”.

There is a spam campaign going ripe in Italy, one of the countries hardest hit by the virus in Europe. The criminals have made their email click-worthy by writing the message in Italian, referencing known infections in Italy, including a fake reference from an Italian WHO official as well as urging Italian citizens in particular to pursue the document.

“Because there are documented infections in your area […] we strongly recommend that you read the document attached to this message!”

Another example of coronavirus phishing attacks is zeroing in on the concerns regarding the effects of this virus on global shipping. Upon opening the attachment within the email, malicious code attempts to install AZORult malware.

“The Microsoft Word document that’s attached seeks to exploit a two-and-a-half-year-old Microsoft Office vulnerability (CVE-2017-11882) which leverages Equation Editor. This vulnerability has been used in malicious documents by multiple threat actors in multiple attacks over the past two-and-a-half years. Its use in this campaign likely points to its proven effectiveness in other attacks and the attacker’s belief that the industries they’re targeting are slow to deploy patches.

Once the document is opened it installs AZORult which is information-stealing malware we’ve seen since at least 2016. In late 2018, we also saw AZORult being used in sextortion scams with ransomware. In these attacks, we don’t see AZORult downloading ransomware currently. However, because of AZORult’s configurable nature and past use in conjunction with ransomware that remains a real threat.”

In addition to email phishing attacks, there has been the spread of fake domains, designed to look like that of legitimate world health organizations such as the Center for Disease Control (CDC). There has also been a spike in new websites originating in Russia claiming to have all the details regarding the virus, how to prevent it or other public health information.

“An example of such a website is vaccinecovid-19.com,” according to Check Point. “It was first created on February 11, 2020, and registered in Russia. The website is insecure and offers to sell ‘the best and fastest test for Coronavirus detection at the fantastic price of 19,000 Russian rubles (about US $300).”

Chris Hazelton, the director of security solutions from Lookout says that there has also been a rise in SMS phishing or smishing emails related to the coronavirus. One of those attempts to have the victims click on a bogus alert warning about the virus being discovered in the Boston area, with those who click on the link being prompted to share their sensitive login credentials.

“This is the continued evolution of how malicious cybersecurity attackers are looking to trick targets into sharing personal, financial and business information,” Hazelton says. “These attacks are particularly effective when sent by channels that often trigger immediate responses from recipients – instant communication platforms such as SMS, iMessage, WhatsApp, WeChat, and others.”

Staying Ahead of the Coronavirus Online

All of these campaigns pose a significant risk to both organizations and individuals as they prey on the fear of people that are likely anxious for new updates regarding COVID-19 or even attempting to source protective gear such as hand sanitizers and masks.

In order to stay safe online, it is recommended for individuals to only open up emails from trustworthy and reliable sources after carefully studying its contents. If the email promises a magical cure for coronavirus or the content of the email makes you even slightly suspicious, its probably because it has originated from a cybercriminal.

If you do download any files, make sure to pay attention to the file extension. For example, if you’re downloading a television show from a legitimate source, it should have either an .avi, .mkv or mp4 extension, but never an .exe.

Make sure to use an antivirus program and keep it updated so it can ensure the wellbeing of your devices.

For businesses, it is important to have an effective reporting system allowing for new and any additional attacks to be identified. There should also be a designated response team and plan in place. This plan should contain a communications protocol that ensures prompt notification to any of your paying and receiving banks, the authorities as well as any relevant stakeholders.

Staff should be properly trained and understand the organization’s policies and procedures. They should be regularly educated about the latest cybersecurity risks which include those that are driven by major events such as the coronavirus.

All corporate devices should have appropriate security software, including mobile devices.

“We would encourage companies to be particularly vigilant at this time, and ensure employees who are working at home exercise caution. Businesses should communicate clearly with workers to ensure they are aware of the risks, and do everything they can to secure remote access for those self-isolating or working from home. In addition to the increase in remote working, we have also seen cybercriminals trying to piggyback on the virus, hiding malicious files in documents purporting to relate to the disease. So, with this opportunistic approach by criminals, coupled with changes to working habits, it’s wise for businesses to be extra vigilant at this time,” comments David Emm, principal security researcher, Kaspersky.

Conclusion To Coronavirus Phishing Attack

With the coronavirus being one of the biggest hot topics of the year, cybercriminals are taking advantage of the widespread fear in hopes of spreading various online malware and phishing attacks. These include fake emails from apparently legitimate organizations such as the World Health Organization. Users are lured with bogus new facts as well as warnings from authoritative figures of those organizations.

When clicking on provided links, users are then tricked into handing over sensitive information they wouldn’t otherwise part with. Individuals should remain aware of the latest online dangers with regards to COVID-19, and refrain from opening emails and email attachments from unknown sources.

Article comments