Phishing in the Time of COVID-19: How to Recognize Malicious Coronavirus Phishing Scams

For malicious people, preying on collective fear and
misinformation is nothing new. Mentioning national headlines can
lend a veneer of credibility to scams. We’ve seen this tactic

time and again, so
it’s no surprise that COVID-19 themed social media and email
campaigns have been popping up online. This blogpost provides an
overview to help you fight against phishing attacks and malware,
examples of phishing messages we’ve seen in the wild related to
coronavirus and COVID-19, and specific scenarios to look out for
(such as if you work in a hospital, are examining maps of the
spread of the virus, or are using your phone to stay informed).

Avoiding phishing attacks

The COVID-19 themed scam messages are examples of
“phishing,” or when an attacker sends a message, email,
or link that looks innocent, but is actually malicious and designed
to prey on fears about the virus. Phishing often involves
impersonating someone you know or impersonating a platform that you
trust. Your day-to-day diligence is the best preventative measure.
Consider these points before you click: Is it an enticing offer?
Is there a sense of urgency? Have you interacted with the sender
before over this platform?

If an email sounds too good to be true (“New COVID-19
prevention and treatment information! Attachment contains
instructions from the U.S. Department of Health on how to get the
vaccine for FREE”), it probably is. And if an email demands
urgent action from you (“URGENT: COVID-19 ventilators and
patient test delivery blocked. Please accept order here
to continue with shipment.”), take a moment to slow down
and make sure it’s legitimate. Keep in mind that legitimate
sources of health information likely won’t use unsolicited email
or text messages to make announcements. Some examples of phishing
emails — ones that we’ve received and you might similarly
encounter — are included at the bottom of this post.

Some common-sense measures to take include:

• Check the sender’s email address. Are they who they
  claim to be? Check that their contact name matches the actual email
  address they’re sending from.
• Try not to click or tap! If it’s a link and you’re
  on a computer, take advantage of your mouse’s hover to closely
  inspect the domain address before clicking on them.
• Try not to download files from unfamiliar people. Avoid
  opening attachments from any external email addresses or phone
  numbers.
• Get someone else’s opinion. Ask a coworker: Were we
  expecting an email from this sender? Or ask a friend: Does this
  email look strange to you? A good practice is to use a different
  medium to verify (for example, if you receive a strange email
  claiming to be your friend, try calling your friend over the phone
  to double-check that it’s from them).

For more tips—such as important preventative measures to these
attacks, like backing up your data and updating your
software—check out our Security Education Companion
printable handout on malware and phishing, which is included at
the end of this article.

Specific Scenarios to Watch For

Sometimes, malicious actors use phishing messages to get you to
log into a service. They might provide a website that looks like a
social media service you use, a service you use for work, or a
critical website you use for payments and banking. However,
sometimes, phishing messages are used to get you to download
malware, or malicious software. We’ve included some more
specific scenarios where we’ve seen COVID-19 themed phishing
attacks and malware below.

Hospitals and Healthcare Workers at Risk

Hospitals in New York are notifying their staff about incoming
cyber attacks, and have cited a few different common attack types
that have already appeared, including:

• a phishing email from a sender purporting to represent a
  well-known organization like the World Health Organization
  (WHO)
•  a phishing email claiming to be from the Centers for Disease
  Control and Prevention (CDC), providing vital information about how
  to prevent and treat COVID-19.

Some emails will carry attachments such as PDFs or Word document
files that promise to carry that vital information, but actually
have embedded malicious code that will infect your computer.

Another type of phishing campaign targeting hospitals comes from
senders pretending to be medical suppliers. In the emails, they
claim that their deliveries have been stalled or interrupted and
require some action on behalf of the hospital staff to complete.
The message body will provide a link that will take the recipient
to a site that will then execute malicious code. When malicious
code is installed on a computer, this could be used to steal
important data or corrupt the disk. Two types of malware that are
being especially used are trojans and ransomware:

• Trojans: When downloaded, Trojan software may perform
  like the intended legitimate application, but is in fact doing
  malicious things in the background.  An example in these COVID-19
  emails is the use of the AzorUlt Trojan.
• Ransomware: When downloaded, this malicious
  software holds a company, organization, or individual’s data for
  ransom.

AzorUlt Trojan

Malwarebytes Labs reported finding variations of an AzorUlt
trojan malware embedded in some of these attachments. The AzorUlt
trojan is a flexible type of malware that commonly collects
important data like browser history, passwords, and session cookies
from the infected computer, then sends that to a command
and control server elsewhere online. From there it could
download and execute more malicious code, such as ransomware. This
particular type of trojan is good at staying hidden, as its core
function is to collect vital data from non-persistent memory on the
infected machine, then quietly deliver that to its command and
control server.

Krebs On Security recently documented that some phishing
campaigns use a live interactive map of COVID-19 to distribute
different variations of the same AzorUlt trojan. The map and
interactive dashboard were developed by Johns Hopkins University,
so visually these emails could appear valid and trustworthy even to
a cautious eye.

Mobile Phone Ransomware

Sometimes, attackers might get you to download an application
that pretends to be helpful or to provide critical medical
information, but actually installs malware. A researcher at

DomainTools recently reported on a distribution of Android
ransomware that has been posing as a coronavirus update
application. Upon downloading the app, it will encrypt and lock the
user’s phone, demanding Bitcoin in ransom. Unfortunately for the
developers of this malicious app (and luckily for affected users),
a researcher at ESET Research discovered that the decryption key
was hardcoded: anyone affected could use the same code to retrieve
control of their phone. They published
said key on Twitter.

Responding with Vigilance

As the world’s anxiety regarding coronavirus continues to
escalate, the likelihood that otherwise more cautious digital
citizens will click on a suspicious link is much higher. Even more
unfortunate is that
hospitals and medical facilities are already likely to fall victim
to ransomware attacks. With a burgeoning global pandemic, the
consequences of these attacks will be even more dire. And with
medical staff already overburdened and overworked with the demands
brought on by COVID-19, they will be more likely to be
susceptible.

Despite these phishing campaigns taking advantage of headlines,
so far they’re not really anything new. That makes detecting them
easier. With appropriate caution, you can avoid these phishing
strategies. For more information on how malware is installed (and
how to avoid it), check out
this malware and phishing handout from SEC.

Examples of COVID-19 Phishing Emails Example 1

Hello.

We have urgent information about the CORONAVIRUS(COVID-19).
VBS

presentation in rar.

The attachment contains a document with safety and
coronavirus

prevention instructions,

also instructions from the U.S. Department of Health on how to
get the

vaccine for FREE.

Send this information to all your loved ones as soon as
possible.

rar password : 1234567

=================================

U.S. Department of Health & Human Services

200 Independence Avenue, S.W.

Washington, D.C. 20201

Toll Free Call Center: 1-800-368-1019

TTD Number: 1-800-537-7697

Example 2

(In this example, notice how the links they provide start
with https; and not
https: This is a common tactic of
putting two very similar looking characters by each other so that
the user won’t notice the difference and will click on the link
before realizing it’s not what it appears to be) 

The outbreak of Coronavirus is a rapidly developing
situation and is likely to affect many travel plans over the
coming
months. We strongly recommend that anyone travelling or planning
to
travel takes guidance from the Foreign and Commonwealth office:

https;//eff.org/coronavirus-covid-19-information-for-the-staff

The WHO’s designation of coronavirus as a pandemic
yesterday has significant implications for the operation of
insurance
policy cover and these are clearly posing unprecedented
challenges. 

The team have put together some advice for you based on current
activities:

I am travelling to a country where there has been an
outbreak?

If the WHO advise against travel to the area you are
visiting then in the first instance you should contact your
travel
operator or medical practitioner to reschedule or ask for a
protective
tips. MOST REPORTED CASES SAVES LIFES.

 Kindly take a break and read the attached articles on our site
and futher refrences on the issue for our staff

https;//www.google.com/tips/coronavirus-covid-19-information-for-the-public

 

Example 3

(In this example
provided by Abnormal Security, the target’s name
and the university the sender is pretending to be from have been
removed. The link directs the target to a page asking them to login
to their Outlook account. This seemingly harmless login page is
actually stealing those credentials.)

Hi ______,

Kindly check the latest information about COVID-19 [Corona
Virus]

https://www.[xxxxxx].edu/content/covid-19-coronavirus-information.pdf

The Trustees of [xxxxxx] University | Health Team

Informative handout on
malware from the Security Education Companion