Phishers Continue to Capitalize on Covid 19 Emergency

They say that every cloud has a silver lining. That has certainly been true for cyber-criminals during the Covid 19 emergency! While the country as a whole is experiencing 20% unemployment and general hardship, these folks continue to reap the rewards chaos inevitably brings to the larcenous. Here are some of the shenanigans that have darkened the news this week:

One article this week talks about “Hack for Hire” groups in India that are spoofing World Health Organization (WHO) emails to steal access credentials from businesses around the world (including the U. S.). These hacking emails come from hosted websites that are crafted to look like the official WHO website, and claim to provide direct notification from the WHO on Covid 19-related announcements. They are targeting financial services, consulting and healthcare organizations.

Another recent article discusses job applications containing Excel attachments masquerading as curriculum vitae. Businesses that click on these attachments are infected by a macro in the file that downloads Zloader malware on the system. Zloader stems from Zeus malware which tries to steal banking passwords and other financial data which could allow attackers to perform bogus financial transactions.

Similarly, another campaign is using medical leave forms to deploy a different banking Trojan. The subject line in these emails says that the email is a new employee request form for leave within the Family and Medical Leave Act. These email messages contain Microsoft Word attachments with names such as “Covid 19 FLMA center.space.doc.” Opening these attachments triggers a macro that launches IcedID malware which is another banking Trojan that attempts to steal financial data.

Another article this week states that phishers are impersonating companies’ IT support team and sending fake VPN configuration change notifications in the hopes that remote employees may be tricked into providing their Office 365 login credentials. It goes on to state that the phishers are betting on the high possibility that the recipients are working from home and need to use VPN for work-related tasks. In these emails, the original email headers show that the email has not been sent from the recipients’ organization, but the sender email has been spoofed to say it has.

All of the examples above show the need for continued vigilance by system users. In this climate, users should be suspicious of all the emails they receive. If in any doubt at all, users should not open the email. If the email looks like something they need to address, users should ensure that the messages are legitimate. One way to do this is to always be sure to check on the validity of the sender and links contained in the email. To do this, users can hover over the “from” display name and make sure it is really from the purported sender. When doing this, they should make sure to look for differences from the legitimate website name and the email they have received. Often, website names look legitimate but contain misspellings that the eye just skips over. For example, it is common for phishers to replace an “m” with an “rn” or to switch a lower case “L” with a number “1.” Only a slight change in the address is enough to ensure that the email is actually going somewhere else than the user thought it was.