Barracuda researchers have seen a steady increase in the number of COVID-19-related email attacks since January, but they have observed a recent spike in this type of attack – up 667% since the end of February.
Between March 1 and March 23, Barracuda Sentinel has detected 467,825 spear phishing email attacks and 9,116 of those detections were related to COVID-19, representing about 2% of attacks. In comparison, a total of 1,188 Coronavirus-related email attacks were detected in February and just 137 were detected in January. Although the overall number of these attacks is still low compared to other threats, the threat is growing quickly.
Coronavirus-related phishing – A variety of phishing campaigns are taking advantage of the heightened focus on COVID-19 to distribute malware, steal credentials and scam users out of money. The attacks use common phishing tactics that are seen regularly. However, a growing number of campaigns are using the Coronavirus as a lure to try to trick distracted users and capitalise on the fear and uncertainty of the intended victims. The FBI recently issued an alert about these types of attacks.
Barracuda researchers have seen three main types of phishing attacks using Coronavirus COVID-19 themes – scamming, brand impersonation and business email compromise. Of the Coronavirus-related attacks detected by Barracuda Sentinel through March 23, 54% were scams, 34% were brand impersonation attacks, 11% were blackmail and 1% were business email compromise.
Phishing attacks using COVID-19 as a hook are quickly becoming more sophisticated. In the past few days, Barracuda researchers have seen a significant number of blackmail attacks popping up and a few instances of conversation hijacking. In comparison, until just a few days ago, they were primarily seeing mostly scamming attacks. As of March 17, the breakdown of Coronavirus phishing attacks detected by Barracuda Sentinel was as follows: 77% were scams, 22% were brand impersonation and 1% were business email compromise. They expect to see this trend towards more sophisticated attacks continue.
Goals of the attackers ranged from distributing malware to stealing credentials and financial gain. One new type of ransomware Barracuda systems detected had even taken on the COVID-19 namesake and dubbed itself CoronaVirus.
Skilled attackers are good at leveraging emotions to elicit response to their phishing attempts, such as the ongoing sextortion campaigns, which rely on embarrassment and fear to scam people out of money. With fear, uncertainty and even sympathy stemming from the Coronavirus COVID-19 situation, attackers have found some key emotions to leverage.
For example, one blackmail attack claimed to have access to personal information about the victim, knew their whereabouts and threatened to infect the victim and their family with Coronavirus unless a ransom was paid. Barracuda Sentinel detected this particular attack 1,008 times over the span of two days.
Many of the scams that Barracuda Sentinel detected were looking to sell Coronavirus cures or face masks or asked for investment in fake companies that claimed to be developing vaccines.
Scams in the form of donation requests for fake charities were another popular phishing method Barracuda researchers have seen.
For example, one such scam caught by the Barracuda systems claimed to be from the World Health Community (which doesn’t exist but may be trying to take advantage of the similarity to the World Health Organisation) and asked for donations to a Bitcoin wallet provided in the email.
A variety of common malware are being distributed through Coronavirus-related phishing, especially modular variants that allow attackers to deploy different payload modules through the same malware. The first malware reported utilising Coronavirus was Emotet, a popular banking Trojan, which went modular last year. IBM X-Force discovered Emotet being distributed in Japanese emails, claiming to be from a disability welfare provider. The phishing emails contained a document which downloaded and installed Emotet when macros were enabled, a common practice for malware distribution these days.
LokiBot is another modular malware, which often aims to steal login credentials and data, and has been distributed in at least two different Coronavirus-related phishing campaigns that Comodo has tracked. One campaign used the premise of attached invoices, which contained LokiBot, but added an apology for the delay in sending the invoice due to Coronavirus. The other campaign claimed to be a news update and ‘one thing you must do’ (a play on the common ‘one weird trick’ hook common in spam), which contained a link to the malware. Barracuda systems have seen multiple examples of emails using the invoice premise, such as the one below, which was detected more than 3,700 times.
Other notable information stealers capitalising on COVID-19 include AzorUlt, which is being distributed from a phishing site claiming to be a map of the outbreaks, and TrickBot, which is circulating among Italian phishing emails.
In addition to widespread credential harvesting from information-stealing malware, phishing attacks with links to spoofed login pages are also using Coronavirus COVID-19 as a lure. One such variant that Barracuda systems detected claims to be from the CDC and attempts to steal Microsoft Exchange credentials when the malicious link is clicked.
A wide variety of email login pages are commonly spoofed by attackers, targeting the email portal which users are accustomed to, when this mail server information can be scraped by attackers. Other login pages are more generic or offer multiple options for provider – spoofing each provider login page. Attackers are simply changing to the existing credential phishing email premise to capitalise on Coronavirus.
How to protect yourself
While phishing emails leveraging Coronavirus are new, the same precautions for email security still apply.
Be wary of any emails attempting to get users to open attachments or click links. Anti-malware and anti-phishing solutions can be especially helpful to prevent malicious emails and payloads from reaching intended recipients but even with such protections in place, caution should always be used since no solution catches everything.
Watch out for any communication claiming to be from sources that you normally would not receive emails from. These are likely phishing attempts. While receiving Coronavirus-related emails from legitimate distribution lists to which you belong is becoming common, emails from organisations that you do not regularly receive messages from should be scrutinised closely. For example, the CDC is not going to be sending out emails to anyone who doesn’t regularly receive emails from them already.
Use caution with emails from organisations you regularly communicate with. Brand impersonation is quite prevalent in Coronavirus-related email attacks, so use caution opening emails from organisations you expect to hear from. This is especially true for those in the healthcare industry, since it is being targeted by cyberattacks trying to capitalise on the pressure resulting from handling an influx of Coronavirus cases.
Find credible charities and donate directly. A common tactic for Coronavirus-related scams is asking for donations to help those affected by the pandemic. To avoid falling victim to one of these attacks, don’t respond to email requests for donations. Instead, find credible charities helping with Coronavirus efforts and donate directly through them to help ensure that funds end up where they can do good rather than in the hands of scammers. It’s also highly unlikely that any legitimate charities are taking donations through Bitcoin wallets, so seeing that in an email should be a red flag.