As governments, businesses, and citizens around the world navigate the coronavirus (COVID-19) outbreak, there has been a spike in socially engineered email attacks by cybercriminals looking to exploit human strife.
This is sadly a recurring trend. Attackers have attempted to hijack news cycles and online search trends in the past, including the MH370 plane disappearance, political scandals, and cases of international tension. These email attacks attempt to infect systems with malware, steal personal information, or cause financial loss by exploiting our very human tendencies of fear and uncertainty during testing times.
This blog highlights common email attacks related to the coronavirus so that readers can exercise heightened caution if they receive similar communications.
It’s human nature to rely on expertise and authority, especially in times of unpredictability. It’s no surprise, then, that CDC impersonation email attacks have seen a rapid rise over the past few weeks. These emails claim to be from the CDC and often include links about process changes, new coronavirus cases, or health information in general.
For example, the email below mentions a new incident management system developed by the CDC and invites targets to visit the hyperlink for more information. The end goal of the attackers can vary in this situation:
- The links might be malicious and install malware on target systems.
- The links might be designed to steal personal information or credit card details.
- The links might be legitimate, in which case the first email is part of a longer email chain. Initial emails are designed to gain the trust of the victim, with the ‘exploit’ only a few more emails down the line.
Fig 1: CDC impersonation attack
Sharing Health Advice
A common attack type involves cybercriminals impersonating reputed health organizations and compromising their targets under the guise of offering useful health information. Recently, a TrickBot banking trojan specifically targeted Italian email addresses and included a Word document that ostensibly contained information on how to stop infections. In fact, the attachment triggered a VBA script that installed a new variant of TrickBot onto the victim’s system. You can read more about TrickBot here.
In New Delhi, India, attackers impersonated the World Health Organization and sent emails offering free test kits, useful health advice, and updated guidelines. The attachments had spyware that compromised email accounts, social media, and bank accounts.
Fig 2: WHO impersonation attack
Exploiting Company Updates
Researchers at Fortinet discovered an attack campaign that misused the FedEx trademark to lull victims into a false sense of security. The email appears to contain updates on FedEx supply chain operations and how they have been impacted by COVID-19. The attachment, named ‘Customer Advisory’, contains an executable that installs a Lokibot infostealer on the target system.
Fig 3: FedEx impersonation attack
Employer impersonation has also been carried out to target internal employees. Since many organizations are now sharing company policy updates with employees for awareness purposes, attackers have created templates for such messages and replaced legitimate PDFs with malicious links. Attackers are able to farm employee email addresses from social media and send these emails en masse across organizations.
An example of such an email (albeit with placeholders and untidy execution) is below:
Fig 4: Email attack highlighting organizational policy change
Perhaps the most wide reaching attack in the wake of coronavirus involves a real-time, interactive map created by Johns Hopkins University. Attackers have created and shared a Java-based malware deployment scheme that uses the Hopkins map - which is legitimate - to install the AZORult password-stealing malware.
Fig 5: Real-time COVID-19 map from Johns Hopkins
This attack has dual network effects. Firstly, the malware deployment kit has been monetized and is being sold to attackers everywhere. Secondly, since the map itself is legitimate, people will tend to share it with their friends and colleagues, spreading the attack even farther.
As remote work becomes the new normal, protecting email communications is more vital than ever. We hope this blog makes you cognizant of targeted email attacks that leverage COVID-19 uncertainty to cause financial loss. Please exercise heightened caution while reviewing every email, even if they seem to come from people and organizations you trust.
Here’s a list of helpful resources including daily case trackers and crowdsourced documents. All these links have been validated by Armorblox.
- WHO daily situation reports: https://www.who.int/emergencies/diseases/novel-coronavirus-2019/situation-reports/
- Analytics dashboards on fighting COVID-19: https://www.linkedin.com/pulse/coronavirus-covid-19-qlik-community-response-joe-warbington/
- Live COVID-19 case tracker: https://covid2019app.live/live
- Interim CDC guidance for businesses: https://www.cdc.gov/coronavirus/2019-ncov/community/guidance-business-response.html
- A People Ops preparation doc created by 100+ HR leaders: https://docs.google.com/document/d/1PhtKhFRE96lzx7fUQe91lPJp3_UWDjua-35HRgTO1hQ/edit#
- Pandemic response guide from Snyk: https://docs.google.com/document/d/1FN1V5FiKnmcwu9ULtquzfqGU7xBA6sia_CnGQCglsTg/edit