Google: US government targeted with 'free fast food' coronavirus phishing

Government-backed attackers targeted US government and healthcare workers, says Google's Threat Analysis Group.
Written by Liam Tung, Contributing Writer

It's hard to avoid news about the COVID-19 coronavirus these days, and government-backed attack groups are taking advantage of the pandemic to trick healthcare and government workers into giving up Gmail passwords. 

Google's Threat Analysis Group (TAG), which tracks state-backed hackers, says one group has started using free meals and coupons supposedly from fast-food franchises to lure US government workers into exposing their Gmail credentials. 

The tactic appears to exploit the US government's decision to categorize fast-food workers as essential during the pandemic. In March, top execs from major US fast-food chains had a call with US president Donald Trump about keeping drive-thru and delivery services open during the outbreak.

SEE: 10 tips for new cybersecurity pros (free PDF)    

Some phishing email messages try to convince targets to browse to sites masquerading as online and food delivery services. If victims click the email, they see a phishing page designed to capture their Google account credentials. 

TAG says it's found over a dozen government-backed attacker groups using COVID-19 themes in phishing and malware attacks that aim to get targets to click on malicious links and download files. 

Google last week said it had blocked 18 million COVID-19 themed phishing emails targeting Gmail users in one week. It was also blocking 240 million COVID-19 spam messages each day. Google and Microsoft say overall phishing hasn't increased during the pandemic, only that attackers have changed their messaging. 

TAG is responsible for detecting phishing and malware attempts from government-backed attackers, which allows Google to issue the targeted person a notification that government-backed attackers may be trying to steal that individual's password. 

The TAG team has also found a new activity that backs up a Reuters report this month that Iranian government-backed hackers have been targeting the World Health Organization. 

Google says the threat actor group is likely to be Charming Kitten. Microsoft last year named the same group, which it calls Phosphorous, as the actor behind a phishing campaign targeting US government officials and members of a 2020 presidential campaign.

TAG has identified similar efforts by a South American actor, known as Packrat, sending emails with links to a domain masquerading as the World Health Organization's login page.

SEE: Coronavirus: Business and technology in a pandemic

TAG's Shane Huntley said the company had placed extra protections on more than 50,000 high-risk accounts. These include higher thresholds for Google Account sign-in and recovery. 

Interestingly, as responses to the new coronavirus took hold over March, the number of accounts Google warned fell below historical trends. In March it issued 3,538 warnings, compared with over 4,100 warnings in both January and February.   

"While it's not unusual to see some fluctuations in these numbers, it could be that attackers, just like many other organizations, are experiencing productivity lags and issues due to global lockdowns and quarantine efforts," said Huntley.


Google has mapped the location of users targeted by government-backed COVID-19 related attacks.

Image: Google TAG
Editorial standards