The topic of coronavirus in phishing and scam appeared in large quantities in January 2020. And after the World Health Organization (WHO) complained in February of the situation with the virus with the official name “COVID-19” and “pandemic”, the count of fraudulent sites associated with these names started increasing to more than 2 thousand a day! All topics were involved: from “new methods of treatment” to “how to get financial benefits” or “what assets to acquire during the coronavirus crisis.” There were even variants with steganography, in which the IcedID banking trojan was hidden in a JPEG file dedicated to coronavirus. There were especially many messages from the alleged WHO.
Phishing significantly grew in 2020
Alexander Serebryakov, the Senior Solution Engineer at F5, comments for Angara Technologies Group that: “Data from researchers at F5 Labs recorded in 2020 an increase in phishing attacks during lockdowns. It was 220% higher than in previous years, and 72% of incidents used TLS encryption, which makes it difficult to block them. In March the spread of info-stealer malware AZORult began under the guise of an application for monitoring the current state of the pandemic. As well as an increase in the spread of Emotet software in phishing emails. IBM experts discovered a malicious e-mail campaign on behalf of the General Director of WHO Dr.Tedros Adhanom Ghebreyesus with a built-in HawkEye keylogger. And Sophos experts uncovered a similar phishing company on behalf of WHO in order to collect cryptocurrency donations, intended for the COVID-19 Solidarity Response Fund. Towards the end of the month revealed a campaign to distribute the Vidar info-stealer under the guise of a WHO application. The number of DDoS attacks on food delivery services begins to grow, also with a demand for ransom. Even the Zeus Sphinx software (also known as Zloader or Terdot), which has been lurking in recent years, has resumed its activity during the pandemic. The malicious files of Zeus are distributed under the name “COVID 19 relief”.
Remote work brings new risks
Denis Kuvshinov, Positive Technologies Security Center expert, adds: “Cybercriminals are using phishing emails about COVID-19 and the massive shift of companies to remote work. A large number of employees connect to internal networks of organizations from their home devices, which are beyond the reach of corporate security tools. As a result, if an employee’s home device is infected with any malware, and this malware has the functionality of network distribution. Then the organization has every chance of encountering an information security incident. ” From January to April, the Wuhan City Administration and the PRC Ministry of Emergency Management were subjected to cyber-attacks. The alleged source of the
attacks is the Vietnamese cybercriminal group APT32 (also known as OceanLotus). Hackers used the traditional method of phishing emails about the coronavirus. US Department of Defense networks are also subject to phishing bombings on the COVID-19 theme. Industrial enterprises of Azerbaijan were also allegedly attacked by a phishing attack with documents related to COVID-19. The purpose of the infection was to introduce a RAT Trojan for remote access PoetRAT. Researchers at Cisco Talos suggest that the supplied malware was intended for SCADA systems.
Fear, greed, curiosity
Specialists of the UserGate Monitoring and Response Center added: “In connection with the pandemic and the transition to remote work, the percentage of phishing attacks related to covid-19 had increased in 2020 year. And although the topics of the newsletters have changed, they still exploit such feelings of people as fear, greed, curiosity, etc. ” By the summer, the number of phishing apps to track patients’ contacts had significantly increased. The goals of the malware are standard: stealing credentials and payment data, attempting to steal and withdraw funds. And then monetizing transfers through distribution schemes across accounts of different countries and “money mules”. For example, the information security company Anomali claims to have discovered at least 12 such applications. Instead of the desired function, the user gets an info-stealer for financial and confidential data and accounts. On the other hand, applications that were actually created by the government and other services in order to monitor the situation with coronavirus, due to the tight deadlines for their development, are endowed with many critical vulnerabilities. Including those allowing espionage and unauthorized collection of user data.