By this time, most everyone in the world has heard about COVID-19, a global outbreak that is commonly referred to as the Coronavirus. With growing fear and a lack of information, the stock markets have dropped to lows we haven't seen in years, and organizations everywhere are putting together contingency plans. Like most global events, this scenario creates a perfect opportunity for threat actors to abuse the situation.
Why? Because:
- The pandemic has people in a state of fear and irrationality;
- The event is recognized worldwide, which means anyone with internet connectivity is a potential target;
- End-users are hungry for updates from their company, the media, or third parties regarding the Coronavirus, thus adding a sense of legitimacy to the messages sent by threat actors.
PhishLabs has observed multiple threat campaigns using Coronavirus to lure victims. The two examples below illustrate common ways threat actors are exploiting it.
Example 1
Our first example shows a lure that targets the general population by abusing the CDC name.
Visually, the link appears to go to a CDC site; however, mousing over it shows what the sender's true intention is.
The site goes to hXXps://www.farahii{dot}com/corona/owa.php, which is a compromised ecommerce site. The phishing site has since been mitigated. The sender email address also came from nationalhealthcenter@gravitt{dot}net, which is an email address created from a compromised domain of someone associated with churches in Ohio.
Beyond WHO, the CDC is considered one of the primary sources of current information associated with the pandemic, which makes this lure highly concerning. In the lure, the threat actor has posted a link which they claim has an updated list of Coronavirus cases in areas around your city. With a pandemic that spreads as quickly as this one has, most people are going to be curious and want to know just how bad it is in their surrounding area.
Example 2
As the outbreak grows, we have seen multiple attacks using the threat of the Coronavirus in an attempt to get end-users to click on a URL or respond back to the threat actor directly. As you can see in the example above, this lure is posing itself as an absence census (loose translation) in the midst of the Coronavirus. This could be an effective lure on a couple of different levels.
The first is that it isn't something that would necessarily surprise an employee to receive right now. With Coronavirus being highly contagious and not preventable, many employees are planning on working from home until we have more information about how dangerous it is and have vaccines to protect us. In addition to this, many people may let curiosity get the best of them and click the link to find out if anyone in their organization has the Coronavirus. Top this all off with the fact that this attack is using a legitimate Microsoft program (Office Forms) and you can see how an unsuspecting victim could think this was a legitimate message.
The link in question led to the following URL:
hXXps://forms.office{dot}com/Pages/DesignPage.aspx#FormId=pSCNckQL3UeUcCDzfL8tmlauPpJZd6hHiWrIh3YjTW1UQzlIMDFNN0k2WFhPWVZSRU9FVFBYUFc2Ui4u&Analysis=true
And the sender was maccount@microsoft{dot}com.
As you can see, the threat actor is using actual Microsoft programs for the entire attack. In place of a phishing site, Office forms are used to host the content, which then sends out an email that uses a legitimate Microsoft email to appear as the sender.
One thing to point out about both of these lures - neither of them is beautifully crafted to imitate a government agency or any specific company. However, that is the beauty of using a worldwide pandemic as your lure, it doesn't have to be. The inherent fear and urgency associated with Coronavirus in everyday life are all that is necessary, and threat actors are aware of this and ready to take advantage. If the virus continues to spread, it's important to keep this in mind and expect to see an increased number of emails around this topic. If things keep trending the way they are, fear and panic will continue to grow, and as fear grows threat actors are always ready to jump on a malevolent opportunity.
Additional Resources: