Nasty phishing scams aim to exploit coronavirus fears

Phoney emails about health advice and more are being used to steal login credentials and financial details.
Written by Danny Palmer, Senior Writer

Cyber criminals are aiming to take advantage of fears over coronavirus as a means of conducting phishing attacks and spreading malware, along with stealing login credentials and credit card details.

Cybersecurity companies have identified a number of campaigns by hackers who are attempting to exploit concerns about the COVID-19 outbreak for their own criminal ends. Crooks often use current affairs to make their scams more timely.

Researchers at Sophos have identified a Trickbot banking trojan campaign specifically targeting Italian email addresses in an attempt to play on worries about the virus. The phishing email comes with a Word document that claims to contain advice on how to prevent infection – but this attachment is in fact a Visual Basic for Applications (VBA) script that drops a new variant of Trickbot onto the victim's machine.

The message text claims to offer advice from the World Health Organization (WHO) in a Word document that claims to be produced using an earlier version of Microsoft Word that means the user needs to enable macros in order to see the content. By doing this, it executes a chain of commands that installs Trickbot on the machine.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    

As a banking trojan, Trickbot is primarily used to steal confidential information from victims – but once installed on a machine, it can also be used as a surrogate for installing other forms of malware, be that for the initial attacker, or leased out to other cyber criminals.

"The cybercriminals behind Trickbot are likely skilled attackers who leverage the concern of the day to scare people into clicking. While this is in Italy now, we would expect a similar attack in other countries where fears of COVID-19 outbreaks are high," said Chester Wisniewski, principal research scientist at Sophos.

"The best approach to avoid this type of cyberattack is to turn off macros, be extra cautious about what you click, and delete email that is suspicious or from an unexpected source," he added.

Researchers at Fortinet have identified a separate coronavirus phishing campaign that claims to come from a delivery company offering an update on the impact that the virus is having on its operations.

The email has the subject 'Coronavirus Customer Advisory Issue' and comes with what claims to be a PDF attachment, but is in fact an executable file. If the user runs this, Lokibot malware is installed on the machine.

Like Trickbot, Lokibot is primarily a trojan that creates a backdoor into Windows systems for stealing sensitive information from victims, including usernames, passwords and bank details via the use of a keylogger.

Fortinet recommends that organisations regularly apply patches to networks in order to ensure that malware like Lokibot can't take advantage of known vulnerabilities to install itself onto machines. They also recommend that organisations train users to be suspicious of unexpected emails asking for action.

Researchers at Proofpoint have also identified a number of coronavirus-themed hacking campaigns that install malware including Emotet, NanoCore and Azorult onto their machines and provide attackers with a means of stealing personal data and giving backdoor access into corporate networks.

"Overall, these latest examples serve as a reminder that users should be watchful and exercise caution where coronavirus-themed emails and websites are concerned," saidSherrod DeGrippo, senior director of threat research and detection at Proofpoint.

The World Health Organization has issued its own warning about crooks and scammers posing as the global health body and taking advantage of current events for their own advantage.

"Criminals are disguising themselves as WHO to steal money or sensitive information. If you are contacted by a person or organization that appears to be from WHO, verify their authenticity before responding," said a WHO statement.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

A common attack detailed by the WHO involves cyber criminals sending emails that claim to be a representative from the organisation and asking the potential victim to click a link, open an attachment or simply hand over sensitive information, such as usernames and passwords.

However, the WHO has said that it will never send emails asking people to login to view information, open unexpected attachments or enter financial information to donate directly to causes.

The body has also asked people to check the address the email is coming from, stating that WHO communications only come from @who.int email addresses and that anything claiming to be the WHO sent from any other domain should be regarded with suspicion. The WHO has set up a link where you can report suspected scams.



Editorial standards