In light of the global scale of COVID-19, cyber criminals have been able to take advantage of the fear and uncertainty to deploy scams and attacks against unsuspecting targets worldwide. Threat actors are using COVID-19-themed phishing emails to serve malware and phish landing pages. Security researchers have discovered ransomware strains, selling misleading services and misinformation campaigns taking advantage of the concern and fear over COVID-19. While this is not an innovative tactic, it does demonstrate how threat actors will attempt to exploit a global health crisis to distribute harmful attacks against victims.
Phishing Emails and Malware
Due to the worldwide effect of COVID-19, threat actors can anticipate having a larger pool of victims fall for appealing lures that use a COVID-19 theme. Threat actors have taken advantage of memos and alerts published by the WHO and the CDC, using them as templates to craft official-looking phishing emails containing hostile links and malicious files for victims to open.
Ransomware
On March 12, 2020, security researchers discovered a Coronavirus-themed ransomware using a website to impersonate the “WiseCleaner” Windows system utility to distribute a downloader executable to deliver the ransomware, along with the Kpot information stealer. The information was used to exfiltrate cookies and login information from the machine, the ransomware encrypted all files on the machine before presenting the victim with a ransom note. Each file on the machine was renamed to the threat actor’s email address, which would be used for victims to communicate with the actors to discuss ransom payment, followed by the file’s original extension.
Coronavirus Phishing Methods & Scams
Be careful of phishing pages, kits, and hostile resources utilizing a Coronavirus theme to be sold to cyber criminals. The following Figure 2 is a screenshot of the actor selling an application that supposedly renders an interactive map of patients infected with COVID-19 using real-time data from WHO and other sources. The seller claims that this phishing method allows threat actors to send a payload “preloader” disguised as a map that can be sent as a file attachment using any mail service and that it is capable of infecting 10,000 victims daily. Be attentive to real time examples of how cyber criminals will capitalize on using COVID-19-themed lures victims in the marketplace.
Misleading Website Domain Registrations
There has been a rise of over 3,500 variations of domain names and host names utilizing a Coronavirus or COVID-19. While it is possible that some of these domains are intended to be used to distribute crucial information on the virus from news organizations or healthcare professionals, there is also the likelihood that these domain names might be used by cyber criminals to create phish landing pages, establish payload locations for the distribution of malware, spread misinformation about COVID-19 updates and testing, or for other nefarious purposes.
Recommendations
It is critical for individuals to stay vigilant and understand how to recognize suspicious emails and activity as criminals attempt to leverage attacks against individuals utilizing COVID-19 campaigns
- Only interact with emails from known senders. Check the link of an embedded URL by hovering the cursor over the link. Use caution when interacting with email attachments.
- Be wary of third-party sources spreading information about COVID-19. Refer to official healthcare organizations or government websites for updates on COVID-19.
- Report suspicious emails and computer activity to security@ucla.edu or party for further investigation.
- Stay up-to-date with current events in cyber security pertaining to COVID-19 for situational awareness on IT Security Website, The Cybersafe Bruin and for more general COVID-19 UCLA Community Resources
