Advisory Overview
There has been a rise in phishing campaigns related to Coronavirus. The campaigns vary in exact messaging, but many have imitated the World Health Organization or HR departments issuing warnings and work-from-home guidelines. SKOUT advises taking extra precaution to protect users from getting phished.
Technical detail and additional information
What is the threat?
Security experts are warning the public of cyber criminals conducting large scale malicious email campaigns based around coronavirus related messaging.
Why is this noteworthy?
Criminals are weaponizing fears about the Coronavirus in various malicious campaigns. Threat actors see this as an opportunity to steal personal and financial information via phishing emails or to spread malware. Criminals are disguising themselves as WHO to steal money or sensitive information. Cybercriminals use emergencies such as a health scares to get individuals to make decisions quickly. A cyber security research company detected 403 users that utilize their security products were hit with 2,673 coronavirus related files that were an attempt to spread malware or steal credentials.
What is the exposure or risk?
Some of these fraudulent coronavirus emails are highly targeted. For instance, Japanese citizens were sent fake emails who pretended to come from their local health-care facilities. Even the contacts listed in the email were actual medical personnel. Another fake email was targeted towards companies in the transportation sector. The spoofed sender claimed to be a World Health Organization (WHO) employee and the email provided instructions document (attachment file) on how to check for and monitor your crew members for coronavirus symptoms on a ship. Additionally, malicious actors are disguising themselves to be the target users’ employers purchase order for face masks or any other medical supplies. This is a trick to get employees into transferring currency into a fake account.
What are the recommendations?
SKOUT recommends to always verify the authenticity of the sender by contacting the organization it claims to be from through its address or telephone number before interacting with or responding to any email. If you are not expecting correspondence from that sender, delete the email without opening it. Do not click on any links or attachments in the email. Instead, type the URLs manually into your browser or use previously created bookmarks to access any websites or pages referenced in the email links. Legitimate companies do not send out unsolicited emails to verify any kind of information. It should be something that was initiated from the user’s end like a password reset. If you have entered your credentials into a coronavirus related phishing website, please follow the below recommendations:
- Reset the user’s password, Implement Two Factor Authentication
- Check/Remove suspicious email forwarding addresses
- Disable any suspicious Inbox rule’s
- Remove the suspected compromised account from all administrative role groups until the potential compromise has been verified as remediated.
If you are a target of these phishing attempts, please report the email as soon as possible. SKOUT’s security operations center is equipped to do in depth email analysis for our clients. We also have state of the art sandbox tools to analyze any file attachments in question.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.wsj.com/articles/hackers-target-companies-with-coronavirus-scams-11583317802
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/best-practices-identifying-and-mitigating-phishing-attacks
- https://www.who.int/about/communications/cyber-security
If you have any questions, please contact our Security Operations Center.
