In response to the financial difficulties resulting from COVID-19, many utilities have announced policy changes to suspend disconnects and provide relief to customers. As a result, many people are uncertain about what will happen should they be unable to pay their utility bills during the pandemic. As our latest example shows, this uncertainty is being exploited by threat actors.
We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic.
In this example, the threat actor is exploiting the victim's desire to know how their electric utility is responding to the coronavirus pandemic. The sender's address powerandlightinc9999@{redacted}(dot)com is meant to add legitimacy to the lure by giving the impression that it's coming from an electric utility. The subject and first heading mention coronavirus, but are vague. This tempts the recipient and forces them to click the link if they want more information.
When the recipient clicks “Review Document" they are taken to a phishing page requesting Office 365 login credentials.
URL: hXXps://squally-bridge(dot)000webhostapp(dot)com/v9/v9/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=1e66b90154664ea406d4dbfa3140cf40d6828d426e261fbfedae50390e0f4dd0f9c20ad2
There remains a significant number of utility companies who have been vague in their approach to this crisis. Cyber criminals mindful of end-of-month bills and financial anxieties are aware of the opportunity this poses and are taking advantage.
For more intelligence on COVID-19 threats, see our ongoing coverage.