Attackers are using COVID-19 as a phishing lure, with messages designed to look like they come from the Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO) and other COVID-19-related organizations. So far, we’ve seen incidents across email, mobile and even social media. The good news? The COVID-19 CTI League is now up and running specifically to battle COVID-19-related phishing and more tools designed to uncover suspicious web domains are available.
While those efforts help, the main defense is end user education. Show your employees examples of the real-world phish contained in this report, and be sure they realize nobody is giving away free money, especially in the COVID-19 economy. As always, if an offers sounds too good to be true, it probably is.
People generally fall for phishing pretexts that promise:
- A call to action.
- To fill an information void.
COVID-19 offers opportunities for attackers in both approaches. People are desperate for information and are constantly being given updated guidance on how to adapt to remote work and stop the spread of the disease, along with other “helpful tips” to deal with COVID-19. Unfortunately, the onslaught of emails from businesses detailing how they will keep staff and customers safe during COVID-19 has set the stage for users to expect these emails and will likely lead to a higher percentage of users treating them as legitimate.
The best way to protect employees from this specific phishing threat is to:
- Detail when and how you’ll communicate COVID-19-related updates and policy guidance.
- Agree on an email template and communication delivery frequency (and then actually stick to it).
- Educate users that attackers will absolutely use COVID-19 as a pretext.
- Show them the examples in this document so they know what to expect.
Organizations should also educate users with specific advice on differentiating legitimate corporate updates from phishing attempts. Even if users click, once they view the login screen, they should be told to assess with high confidence it was a phish and report it.
Currently, very few vendor emails contain an attachment. Of those that do, most are PDF files, and none that we’ve seen have any active content (e.g., Office document macros). Also, the vast majority of these files were not delivered as a compressed attachment (zip, rar, 7Z, etc.).
Figure 1 shows a lure that targets foreign visitors by convincing them to provide sensitive information to an attacker-controlled email address.
Figure 2 shows an example of a DocuSign credential-harvesting phish purporting to be from WHO.
Figure 3 shows an insurance-themed phish targeting Cigna customers. This is particularly effective for attackers because it lets them easily discover the insurance provider for an organization.
Figure 4 shows a phish that has a link to “new measures from the CDC” but also borrows credibility from WHO, the Equal Opportunity Commission (EEOC), the Department of Labor (DOL) and the Occupational Health and Safety Administration (OSHA).
Figure 5 shows another credential-harvesting phish.
Attackers are also sending SMS phishing links enticing victims to install applications on their Android phones (see Figures 6 and 7).
The SMS delivery shown in Figure 8 is particularly dangerous and preys on the desire to fill an information void.
Beyond SMS, we’ve also seen more than 500 Android applications with coronavirus-related strings in their files uploaded to the Google Play Store, and many are confirmed to be malicious. While the Apple Store also likely has malicious applications, Apple’s enhanced vetting means attackers must expend significantly more effort to get their applications into Apple’s ecosystem than Google’s. Additionally, because it is difficult to install iOS applications from an unauthorized source, attackers so far seem to be focusing primarily on Android attacks.
While some links redirect users to the Google Play Store, others entice them to download and install applications from .apk files directly (see Figure 9). This activity has been going on for almost two months, and at the time of this writing, the site listed in Figure 9 is still actively distributing malware (although the COVID-19 CTI League is working to take it down).
The FBI Internet Crime Complaint Center (IC3) reports attackers are using phishing to lure users into clicking links promising vaccines, access to testing kits and airline carrier refunds. However, with the stimulus bill likely to provide direct compensation to individuals, we should expect to see a significant uptick in attacks around phishing links promising early access to stimulus funds.
Examples of this activity have already been observed. While current attacks focus on stealing access to banking individual’s information (which is not usually an enterprise concern), we have seen examples of business-themed emails discussing Small Business Administration (SBA) loans provided through the recently passed stimulus bill.
Organizations should educate their employees about the risks of these attacks. Additionally, they should educate anyone with access to financial systems (accounts payable, accounts receivable, comptrollers, etc.) about the risk of business-themed phishing emails.
In addition to email-based and mobile phishing, attackers are luring users with Facebook and other social media platforms (see Figure 10). While this may not seem like an enterprise issue, users in many organizations are already working at decreased capacity due to stress and childcare arrangements. Falling victim to identity theft will certainly not help that productivity issue. Further, these scams may trick users into installing malware, which may be an issue if it gets installed on enterprise-owned devices.
Clicking on the embedded link in the ad in Figure 10 takes users to the page shown in Figure 11.
Following the link in Figure 11 further takes users to a well-known marketing engine that tricks users into giving up personal information without gaining any actual benefit (see Figure 12). Unsurprisingly, users don’t actually get a gift card at the end of the data collection process. These types of schemes have also redirected to malware in the past and we should expect that trend to continue here.
The COVID-19 CTI League, a community effort to battle COVID-19 related phishing, was established recently to exchange cyber threat intelligence (CTI) information. The league currently has more than 600 members, all of whom are vetted CTI or malware analysts. In fact, many organizations have analysts who are either already members of the group or have had invitations extended.
In general, CTI and threat data-sharing groups are not open to the public and rather depend on an invitation from someone in the community. While some see this as gatekeeping, it is viewed as necessary to prevent threat actors from joining the group and performing counter-intelligence, rendering the intelligence worthless.
If your organization has full-time CTI analysts or malware reverse-engineers, consider reaching out to your CTI contacts to get an invite to the group. If not, the intelligence generated in the group is being distributed through vetted channels, including vendor CTI feeds, information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs).
Due to browser warnings for websites not using HTTPS, we are seeing more attackers deploy HTTPS certificates than ever before. This helps them avoid traffic inspection in networks where TLS decryption isn’t performed. However, it also works against attackers when certificate transparency logs are inspected. A list of COVID-19-themed domains that have been issued HTTPS certificates mined from certificate transparency logs can be found here.
Please note, not every domain on the list is malicious. The list merely catalogs the domains containing the words “coronavirus” or “covid,” some of which may be legitimate. However, the list can serve as a potential block list for high security environments where confidentiality is valued over availability.
Additionally, the team at DomainTools offers a an updated list of suspected COVID-19 phishing domains (free with registration). Registration must be from a business (non-free) email address to prevent the S3 bucket hosting the list from being overwhelmed. DomainTools uses its well-known risk-scoring mechanism to help organizations prioritize their response to the most suspicious domains. This is especially important for organizations facing the extremely long (and growing) list of domains in publicly available lists that rely only on pattern matching.
Some domains in the DomainTools list are not present in certificate transparency-generated lists. This is because DomainTools also has access to data from many domain registrars and a large network of passive DNS sensors. Use of the DomainTools list is recommended for those struggling to process the now more than 12,000 domains that have had HTTPS certificates issued. This is an important differentiator, because we have already observed attackers redirecting victims through a link to a COVID-19-themed domain (which would not be present in the certificate transparency list).
Attackers are also compromising small office/home office (SOHO) routers and redirecting Windows computers to display COVID-19-related alerts that entice users to download malware. This is accomplished by changing DNS settings in the router.
The attacks likely take advantage of routers with default usernames/passwords and remote administration enabled via the internet. Organizations should discuss router security with their users since remote workforces are using these devices to access corporate data now more than ever.
Beyond specific COVID-19-related attacks, DNS redirection attacks on SOHO routers offer attackers the opportunity to perform many other man-in-the-middle (MiTM) attacks using other router features or by installing custom firmware. Organizations relying on employee-provided SOHO routers for connectivity to corporate networks should schedule audits with their employees to ensure router configurations are as secure as possible.
However, during this time, installing up-to-date firmware may not be advisable since a failed installation can cause the router to be permanently disabled (e.g., bricked). Organizations with employees who have out-of-date firmware should consider their risk profile. Most externally exploitable vulnerabilities patched by a firmware upgrade can also be mitigated by a configuration change.
An unfortunate misconfiguration on the Health and Human Services (HHS) website allowed attackers to use a vulnerability known as an open redirect to trick users into visiting malicious websites serving malware. An open redirect vulnerability allows an attacker to send a user a link that points to a legitimate/expected domain that subsequently sends them to a malicious domain.
While this vulnerability has been patched on the HHS website, attackers will continue to use this attack vector to distribute COVID-19-themed malicious links as they discover additional opportunities. Organizations should educate users not to click links just because they appear to point to a normal/legitimate domain.
Organizations are advised to educate their users on these scams. Nobody is giving away free money, especially in the COVID-19 economy. If it sounds too good to be true, it probably is.
In the weeks ahead, we should continue to expect more COVID-19-related emails. As situations on the ground change (including the possibility of U.S. lockdowns similar to Italy), phishing emails will certainly follow.
COVID-19 and Infosec: What You Need to Know, March 16, 2020
Phishing Simulation and Training: A Market Overview, Feb. 7, 2020
Phishing Simulations: Know Who to Inform and Why, Dec. 12, 2019
Create an Effective Anti-Phishing Program, Dec. 3, 2019
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.