Phishing on behalf of the coronavirus

That's all we needed: As if the effects of coronavirus on everyday life are not bad enough, cybercriminals are now using the virus as bait in various phishing campaigns. Numerous security companies are reporting a vast increase in mails that try to exploit the fear and insecurity surrounding the coronavirus in some way. The attackers exploit several factors. In addition to the general fear of the virus and the willingness of individuals to engage with official or threatening messages and instructions, many employees are in a home office/remote work situation for the first time. They do not know the processes, may have never dealt with IT helpdesks and are susceptible to spear phishing and ordinary phishing due to the lack of routine.

While cybercriminals are known to adapt to seasonal topics for example on Christmas or other holidays, the speed and thoroughness with which the campaigns have been adapted is impressive. For example, F-Secure describes that many of the campaigns used regular news messages as a model, initially targeted Japanese consumers, and sometimes occurred only 24 hours after the official news messages appeared. This included both spam and phishing campaigns. Because the outbreak of Corona has led to a worldwide shortage of medical supplies, spam is currently focused on protective masks, disinfectants and alleged miracle vaccines to fight infection. Hundreds of shady websites are filled with discounts and special prices for the allegedly last remaining face masks or disinfectants. Cybercriminal marketplaces, where drugs, weapons and pornography are commonly traded, are also participating in this business. As usual, spam should ALWAYS be ignored. Anyone who buys is very likely to pass on their means of payment to criminals, will probably not receive anything in return and any products delivered may be counterfeited or inferior quality.

Another security provider, Cynet, has investigated the situation in Italy, where criminals mainly use malware to collect credentials. The attacks almost tripled between January and March. The situation is similar in other European countries and the USA: Wherever corona cases occur, phishing campaigns are close behind. The urge to open an Excel file that contains alleged test results is very great in the current situation. But other methods are also popular with phishers. Very often links to fake health advice and "How to protect yourself from corona" PDFs are used to lure users in. This is intended to introduce malware and to tap user data. Trade in related malware and has already begun in the marketplaces on the Dark Web. A new COVID-19 phishing campaign was promoted in a criminal forum in February. For the price of $200, users were able to purchase a digital world map that tracks the spread of the virus. The graphic uses real-time data from the WHO and looks similar to the John Hopkins Institute website while installing malware onto the computer when downloaded.

The number of domains registered in connection with COVID-19 has also increased significantly since the beginning of the year: Security provider Digital Shadows has identified over 1,400 such domains in the last three months. The majority of them are legitimate, but some are likely to have fraudulent intentions. The consequences can already be felt now: Earlier this month, the National Fraud Intelligence Bureau (NFIB) reported over 21 cases of COVID-19 fraud campaigns and damage of over €90,000.

False reports about the coronavirus spread primarily via social networks and private news platforms. Even if false information is not always deliberately shared and does not always pursue financial motives, it still contributes to spreading panic, aggravating supply bottlenecks and promoting dangerous DIY protection measures. Very few formulas for the production of homemade hand disinfectants are actually effective, some of them can even lead to health damage such as skin injuries.

Corona phishing is no different from phishing with Christmas emails or any other bait. The same security precautions still apply to users:

  • Share as little of yourself as possible on social networks. Successful phishing is based on facts.
  • Pay attention to awareness training offered by your employer The best advice is still: Think first, then click.
  • Use two factor authentication when it is offered.
  • Actively ask your employer how to handle suspicious emails. Should you forward the email? Or take a screenshot? Who is the right person to contact?

Companies can also proactively use monitoring tools to search for fake websites using similar domain names and block or remove such websites from the Internet. In addition, all feasible security features on mail servers such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) should be enabled.