Phishing Campaigns Tied to Coronavirus PersistUN's World Health Organization Warns of Fraud Attempts
As the coronavirus generates headlines around the world, cybercriminals are continuing to use this public health crisis to spread phishing emails and create malicious domains for a variety of fraud.
See Also: A Toolkit for CISOs
The most recent example comes from the World Health Organization, a United Nations unit, which warned this week that fraudsters have started to use its name and images as part of phishing attacks and other scams.
"If you are contacted by a person or organization that appears to be from WHO, verify their authenticity before responding," according to a warning posted on the WHO website. "WHO is aware of suspicious email messages attempting to take advantage of the 2019 novel coronavirus emergency."
The warning from WHO confirms earlier reports from security firms such as Sophos that scammers were attempting to use images, graphics, and realistic-looking domains as part of various phishing and others malicious campaigns. In addition to spoofing WHO, researchers say fraudsters are also spoofing the U.S. Centers for Disease Control and Prevention (see: More Phishing Campaigns Tied to Coronavirus Fears).
In a campaign that Sophos uncovered earlier this month, a phishing email with coronavirus as a lure leads victims to a webpage that looks similar to the WHO website but contains a popup screen asking users to verify the username and password associated with their email address. If someone enters their credentials, the information is sent to the attackers, according to the report.
As of Wednesday, the novel coronavirus, also known as Covid-19, has led to the deaths of over 2,000 people and infected more than 75,000 worldwide, according to a research team at Johns Hopkins University.
Earlier this week, IBM announced that it would withdraw from the 2020 RSA Conference in San Francisco over concerns about the coronavirus, but the show is still slated to kick off on Monday, Feb. 24. Those same health concerns led to the cancellation of the Mobile World Congress expo in Barcelona and delays of several other tech shows (see: IBM Exits RSA Conference 2020 Over Coronavirus Worries).
On Tuesday, security firm Check Point published a report about a spike in the number of domains being registered related to coronavirus. Researchers noticed an increase in new websites from Russia that claim to have details about the virus, how to prevent it and other public health information.
"An example of such a website is vaccinecovid-19.com," according to Check Point. "It was first created on February 11, 2020 and registered in Russia. The website is insecure and offers to sell 'the best and fastest test for Coronavirus detection at the fantastic price of 19,000 Russian rubles (about US $300).'"
This website also claims to offer a heat map and other information, but Check Point researchers noticed numerous spelling mistakes and sections where the designers didn't finish their work. "Many of these domains will probably be used for phishing attempts," the report adds.
Other security firms have spotted coronavirus-related schemes. Chris Hazelton, director of security solutions at cybersecurity firm Lookout, tells Information Security Media Group that he's seen examples of coronavirus-related SMS phishing or "smishing" emails, including one that attempts to get victims to click on a fake alert that warns about an outbreak in the Back Bay section of Boston. If someone clicks, they are taken to a malicious website where attackers attempt to steal their credentials.
"This is the continued evolution of how malicious cybersecurity attackers are looking to trick targets into sharing personal, financial and business information," Hazelton says. "These attacks are particularly effective when sent by channels that often trigger immediate responses from recipients - instant communication platforms such as SMS, iMessage, WhatsApp, WeChat and others."
Meanwhile, other cybercriminals are sending out phishing emails about the coronavirus to the global shipping industry to entice victims to open an attached Microsoft Word document that installs the AZORult information stealer, Proofpoint researchers report (see: More Phishing Campaigns Tied to Coronavirus Fears).
In late January, IBM X-Force researchers discovered a first wave of phishing scams that targeted some regions in Japan to spread the Emotet Trojan, as well as other malware, by using malicious messages that appear to contain information about the coronavirus (see: Fake Coronavirus Messages Spreading Emotet Infections).