As enterprise workforces continue to transition to remote environments, online file sharing and cloud storage tools are becoming a frequent, if not necessary means of collaboration. While abusing these types of platforms is nothing new to threat actors, the lures they use are now taking advantage of the novel coronavirus. The two examples below demonstrate how.
We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic.
In the first example, a global financial institution is targeted with a malicious link referencing COVID-19.
A malicious file is shared with the victim through a link on a popular file-hosting service.
Sender's address: no-reply@{redacted}.com.
By following the link to access the file, the victim is presented with a malicious document that uses similar logos found in the platform's email and website in order to create a feeling of legitimacy:
hXXps://www.{redacted}.com/scl/fi/seqlhhc01c27s9t8639cw/(redacted)-(redacted)-2020-COVID.19-IPG735978024.pdf?dl=0&new_user=1&oref=e&r=ABLOA43Lu9leZH6KtXLT18yTWpYHjj0nErV_m78wD4IERfpFhoLZhBXOzLYRbiBLcRsJF-irkzwJKCKaF9yPbO1gbiA3J-bZq-iSfXw4hbO4aCCP7lH1plRLcleLb5WVr85nK1cuQ1zaotassHc3RHL68IpVP793scInSMuVYqgazc2bOJa0lvDHoRWtB2SsNkuREjXoJbTBPx-a9-4_AKpz&sm=1
If the victim follows the link to “Access your file" they are redirected to a credential theft site where they are prompted to enter their account information:
hXXps://storage(dot)googleapis(dot)com/westartcoding(dot)appspot(dot)com/O%20N%20%20B%20B%20%20D%20D%20ED%20R%20T%20%20O%20O%20K%20%20B%20B%20V%20D%20D%20WE%20%20T%20U%20I%20N%20B%20D%20E%20T%20%20%20I%20I%20J%20B%20V%20FDR%20T%20%20Y%20UI%20%20K%20JM%20N%20.HTML
The second example was observed targeting an international law firm.
Sender's address: [email protected]
The page has since been removed, however based on the directory path, it led to a fake Microsoft Office login designed to steal account credentials: hXXps://ispydeal(dot).com/http/Office/SSL/Login/cmd-login=421b0bb34445aaeca8034a475d86fc55/fne35yyov5a8ktksml8pss4s.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&email={redacted}@{redacted}.com&loginpage=&.rand=13InboxLight.aspx?n=1774256418&fid=4#n=1252899642&fid=1&fav=1.
The national jobforce has seen a mass transition to remote work as a result of the pandemic, with some companies choosing to make the change a permanent one. With this, online file sharing services and collaboration tools are becoming a necessary part of internal communication for many organizations. As these examples have shown, threat actors are taking advantage of these changes to further exploit COVID-19 anxieties to steal employee credentials.
For more intelligence on COVID-19 threats, see our ongoing coverage.
Additional Resources: