Researchers Describe a Wide Variety of Tactics
As fears about the coronavirus continue to spread, cybercriminals are using the health crisis to send phishing emails using a variety of tactics to a broader range of targets.
Some phishing campaigns are incorporating fake domains designed to look like the U.S. Centers for Disease Control and Prevention and the World Health Organization, researchers from Kaspersky and Sophos report.
Meanwhile, other cybercriminals are sending out phishing emails that use concerns over coronavirus-related disruptions to the global shipping industry to entice victims to open an attached Microsoft Word document that installs the AZORult information stealer, Proofpoint researchers report.
In late January, IBM X-Force researchers discovered a first wave of phishing scams that targeted some regions in Japan to spread the Emotet Trojan, as well as other malware, by using malicious messages that appear to contain information about coronavirus (see: Fake Coronavirus Messages Spreading Emotet Infections)
“The coronavirus as a topic is heating up among malefactors of various kinds, so expect to see other malicious campaigns using the deadly virus as bait,” Maria Vergelis, a security researcher with Kaspersky, notes in the company’s latest report.
As of Tuesday, novel coronavirus has killed over 1,000 people and infected more than 43,000 worldwide, according to a research team at Johns Hopkins University.
Fraudulent CDC Messages
Kaspersky researchers, in a report released Friday, said cybercriminals are sending out phishing emails that contain domain names similar to those used by the Centers for Disease Control and Prevention. The attackers have incorporated the domain “cdc-gov.org” within their phishing emails, while the actual CDC domain is “cdc.gov,” according to the report.
These CDC-themed phishing emails encourage users to click on a link that contains details about new cases of coronavirus around where they live, according to Kaspersky. The link, portrayed as steering recipients to the CDC website, instead redirects to a fake website that looks like a Microsoft Outlook login page, where targets are asked to enter their username and password, according to Kaspersky.
Phishing email disguised as CDC message (Source: Kaspersky)
A slightly different version of the same email asks victims to donate bitcoins to help the CDC find a cure for coronavirus. But the CDC does not accept virtual currency, Kaspersky notes.
In another campaign, Sophos researchers observed cybercriminals are sending out phishing emails that appeared to originate with the World Health Organization. The emails urge the victims to click on a button and link to download a “document on safety measures regarding the spreading of coronavirus,” according to the Sophos report.
By clicking on the link in the email, victims are led to a webpage that looks similar to the WHO website but contains a popup screen asking users to verify the username and password associated with their email address, according to Sophos. As with the phony CDC website scam, if someone enters their credentials, the information is sent to the attackers.
Sophos says the cybercriminals made numerous spelling and grammar mistakes in their emails spoofing a message from WHO. In addition, the link used in the emails “seems to be a compromised music site with a weird name that doesn’t have any obvious connection to any well-known health organization,” according to the Sophos report.
Global Shipping Scam
The Proofpoint report, meanwhile, found that cybercriminals from either Russia or another country in Eastern Europe have taken a different tactic. They’re zeroing in on concerns around the potential effects that coronavirus may have on global shipping. These messages are targeted to industries such as such as manufacturing, finance and transportation, according to the report.
“These attacks take coronavirus-themed attacks in a direction people might not expect, away from health-related concerns and toward secondary, economic-related concerns, in this case the possible impact of coronavirus on global shipping, Sherrod DeGrippo, a researcher at Proofpoint, writes in the report. “This underscores that the threat potential around coronavirus remains broad and everyone should exercise extra caution when dealing with coronavirus-themed emails, links and attachments.”
In the phishing email that Proofpoint found, the messages contain the subject line “Coronavirus – Brief note for the shipping industry.” The Word document attached to the email contains malicious code that then attempts to installs the AZORult malware, an information stealer that been tracked by security firms since 2016, according to the report.