A few weeks ago we noted some early examples of Coronavirus phishing campaigns. Since then, the pandemic has spread and we've seen a dramatic uptick in COVID-19-themed malicious activity, with everything from domain registration to phishing emails and even malware campaigns. Going forward, we will be publishing more examples as we find additional methods cybercriminals are using to exploit the crisis.
Our most recent example of COVID-19 being used for malicious purposes is a socially engineered email attack that targets one of our client's brands. The cybercriminals capitalize on the fear and uncertainty that is being promoted everywhere you look - a stock market freefall, an economy in question as bars and restaurants are mandated closed, schools shut down. If you want to get someone's attention on the brink of a recession, as well as an international health crisis, what do you think an ideal topic of focus would be? Money, of course, and the bad guys know it.
The email a potential victim receives appears to be addressing something that employees unquestionably come to expect and oftentimes rely on: bonuses.
Posing as the HR Department, the message urgently claims that due to the coronavirus situation, bonuses would not be distributed as normal unless the statement link provided in the email was confirmed.
This lure is compelling because the potential victim is most likely acutely aware of the fluidity of the current situation, and may be unwilling to do the due diligence they normally might if it means risking cash they are entitled to. So, they click.
The link in the email is a sendgrid redirect link. The full url is below:
hxxps://u9069481.ct.sendgrid[dot]net/ls/click?upn=pvoCvCz8YzWH2vugTomxgV2XVA3dQRHf3Rt-2BBgUdAyftcyfxmb6M44PNY9AXhcdORDdY-2B7n4TH8918k4mdYWbWz5J5KYDzxBwQrKr1UjdAATC-2F-2BjZwVfQpn-2B2FWEpe1a0U1zXM3cixbZfxLGf4pHE17UCwQLRKIU3LpP1B1vxdVh-2BfWQkD838NjdY6tmwB5qSdW3_6bXvVXz6vS8zXW9a7hlkxzAMr8GYHDKfXlb6C0J8C8TbTPPCi8KCqQw-2BxI4LGXP03rzcaFdBPuKgOy97gh7NAAiM9YgTDzAARxP-2BTR6CBuZxLsbjqSxIeakWvvYWstOuTV8NkvwdeZLQa-2Fi1do5h5XLhSSvOOyZ6i58wARwVytGykv8DxGGWeLyeXug-2B0bF8RkHp3aAdGYSionCk8WKvhlkdhBx8QnEp-2BDAj7bVRHoJgdDKUX070W0Su9Ok9828p
This will redirect our victims to a docs.google.com page that drops a .exe distributing trickbot.
Malicious File: Preview (1).exe
The sender's address is [email protected], which indicates the domain is compromised.
As many phishing emails such as the one above often go, there are some red flags including the grammar and implied urgency that can lead a potential victim to question the authenticity of the message. When it comes down to it, due to the fear and many questions associated with the coronavirus, cybercriminals are in a unique position that allows them to exploit a virus like COVID-19 more successfully than they often might. Data and monetary loss are inevitable.
On a larger scale, the World Health Organization (WHO) and Federal Trade Commission have been the focus of attacks so far, as well as the U.S. Center for Disease Control (CDC), where the cybercriminals went as far as to request bitcoin donations to fund a fake vaccine.
It's important to note that these types of targeted attacks are likely to increase as long as the outbreak grows. With seemingly endless opportunities to impersonate organizations and agencies affected by the outbreak, many countries have warned of scammers preying on individuals looking for guidance.
Additional Resources: