Latest Phishing Campaigns Spoof Federal Reserve, SBACybercriminals Pivoting to Economic Stimulus Lures
Some fraudsters have pivoted from using the COVID-19 pandemic as a phishing lure to creating messages and malicious domains designed to capitalize on various U.S. economic stimulus programs.
See Also: A Toolkit for CISOs
In addition to several new research reports from security firms, some U.S. attorneys offices and FBI offices have been issuing warnings. Plus, the U.S. Treasury Department has warned about fraud and security concerns as more than $300 billion in direct payments are sent to American citizens (see: Economic Stimulus Payments: A Fraud Target).
The latest phishing campaigns include email messages and domains designed to spoof the U.S. Federal Reserve as well as the Small Business Administration, which is overseeing the Payroll Protection Program to help funnel loans to small businesses that have been disrupted due to the COVID-19 crisis.
"We have seen an increase in phishing attacks since the coronavirus pandemic started last month," says Dave Baggett, CEO of security firm that Inky, which discovered a Federal Reserve-themed phishing campaign. "Normally it's the same phishing techniques with coronavirus content, but this Federal Reserve impersonation is unique."
Federal Reserve Targeted
In the Federal Reserve spoofing campaign, the phishing emails contained a link that led to a malicious domain that included legitimate logos and information from the White House, the Centers for Disease Control and Prevention and the Federal Emergency Management Agency, Inky reports. In addition, the fraudsters copied and pasted the Economic Impact Payment FAQ webpage from the IRS and incorporated it in the malicious domain to give it a further sheen of legitimacy.
If the targeted victim clicked one section of the malicious domain called "economic impact payment," they were presented with a list of banks that also included realistic-looking logos. Some of the financial institutions listed included Wells Fargo, Chase, Bank of America, TD Bank and the Navy Federal Credit Union, according to the Inky report.
If the victim clicked on one of these banking logos, they were asked to input credentials into a log-in page, but would receive an error message, claiming that the wrong data was provided. In reality, the credentials were sent to the attackers.
This campaign, which started around April 16, has since stopped. It's not clear if any of the attacks were successful, Baggett says, calling it one of the most sophisticated phishing lures he's ever seen
In another phishing campaign that started around the same time, cybercriminals began sending out messages that appeared to originate with the Paycheck Protection Program, which was created through the $2.2 trillion stimulus bill, known as the CARES Act and is administered through the SBA, according to the security firm Abnormal Security
Legislation providing the Paycheck Protection Program with an additional $320 billion was signed into law by President Trump Friday.
The email message in this phishing campaign tells victims that their signature is needed on a document entitled "PPP_CARES_SignaturePG1-2," and contains a link to a webpage that supposedly has more information, according to the Abnormal Security report.
That link takes victims to a domain that appears to resemble a log-in page for Microsoft Office 365. If victims input their credentials into the fields, those are then harvested by the attackers, according to the report.
Meanwhile, IBM X-Force reports a 6,000 percent increase in COVID-19-related spam it has tracked since March 11, when the World Health Organization first declared the global pandemic (see: WHO Reports 'Dramatic' Increase in Cyberattacks).
This spam not only includes messages about COVID-19, but also messages spoofing the SBA and other agencies and referencing the stimulus programs.
"Cybercriminals are being very calculated with their attacks and continue to pivot their tactics to lure victims," th IBM report states. "In fact, IBM X-Force saw that more than 50 percent of all COVID-19-related spam observed since the onset of the pandemic was sent in the two first weeks of April alone, coinciding with when the U.S. small business relief loan program became available and stimulus checks started being issued."