Cybercriminals Use Coronavirus Topic as a Bait in Their Scams
Coronavirus is by all means a dangerous disease- there's no vaccine developed yet, and the only reliable prevention measure is social distancing. So no wonder that cyberscammers are intensively exploiting this topic, flooding cyberspace with emails containing fake cures, protective diets, and health tips. Attachements to these emails - fraudulent e-books, information booklets, and fake missed invoices - are laden with ransomware, keyloggers, and data stealing malware.
The problem is much bigger than just phishing scams.
On March 14, a web tracker v by Twitter user @dustyfresh found 3,600 hostnames relTED TO coronavirus and COVID-19; all of them appeared on the web in just 24 hours.
On March 17, @sshell_ , security researcher and python developer, built a tool, providing real-time scans for potentially malicious domains, related to coronavirus. This tool is hosted at ThugCrowd, so you can use it to watch possible scam sites that are constantly being registered. RiskIQ reported about tracking more than 13,000 of them in one weekend in March, and more than 35,000 of them the next day.
Here are a few examples of the email scams spotted in the wild by Malwarebytes - a threat intelligence team.
Emails ostensibly related to the World Health Organization
In mid-March, there was an email phishing campaign. The threat actors were impersonating the World Health Organization (WHO), which is one of the main scientific resources as to COVID-19. That spam campaign distributed a fake e-book, laden with malicious code - a downloader called GuLoader, which was the first step in a complex scheme.
GuLoader was used for loading the information-stealing Trojan named FormBook, which had been stored on Google Drive in encoded format. Formbook is a popular info-stealer; it is relatively simple and has a wide range of capabilities, including keylogging, swiping content from the clipboard, and browser data stealing.
The GuLoader scam is just one of the scams where cybercriminals pose as World Health Organization, tricking victims into downloading and opening attachments laden with malware.
The Agent Tesla Campaign
On March 18, yet one another email campaign was uncovered, which used an invasive Agent Tesla keylogger. This keylogger, which can steal a variety of sensitive data, experienced a 100 percent increase in activity in three months in 2018, according to the reports.
Cybersecurity researchers wrote at LastLine that Agent Tesla acts as a fully-functional information stealer, which is capable of extracting credentials from browsers, mail, and FTP clients. It captures screen and video, logs keys and clipboards data, as well as carries out form-grabbing attacks in Instagram, Gmail, Twitter, Facebook, et cetera.
The Agent Tesla campaign tracked in mid-March involved an email allegedly coming from the WHO with the following subject line: Covid19″ Latest Tips to stay Immune to Virus !!
The email ostensibly included a PDF file with the info about “various diets and tips to keep us safe from being effected with the virus.”
The email arrived from the sender email address of “firstname.lastname@example.org.” , while legitimate WHO email addresses must end with “.int.” The email was signed by a “Dr. Sarah Hopkins, a WHO media relations consultant”.
The truth is that WHO has a public website for contacting its media relations representatives, but none of them is named Sarah Hopkins.The phone of “Dr. Hopkins” stated in the scam email doesn’t work - calling this number resulted in an error message from the provider.
This scam is just one example of an email campaign attempts to deliver Agent Tesla by means of impersonating the WHO.
The Campaign delivering HawkEye
Another malspam campaign spotted in March tries to trick victims into downloading HawkEye - a credential stealer that has been known ever since 2013.
According to Security Affairs, the cybersecurity news resource, HawkEye is being sold on hacking forums as a keylogger and info stealer.
HawkEye is delivered in an email from the alleged sender “DR JINS (CORONA VIRUS).” The subject line is the following: “CORONA VIRUS CURE FOR CHINA,ITALY”.
The email body reads as follows:
Kindly read the attached file for your quick remedy on CORONA VIRUS.
The email sender lists their place of work as the non-existent, misspelled RESEARCH HOSPITAL ISREAL at the address NO 29 JERUSALEM STREET, P.O.C 80067, ISREAL.
Campaign That Targets Users from Spain
One more campaign targets Spanish-speaking victims. The email that distributed GuLoader was signed by “Adriana Erico,”. The subject line was “Vacuna COVID-19: prepare la vacuna en casa para usted y su familia para evitar COVID-19”.
How to Protect Yourself
For scammers, coronavirus presents a wonderful opportunities to infect lots of victims' PCs. Fearful public is eager to get information related to COVID-19, which serves as a perfect bait. It means that protective measures stay the same: use common sense and don't open cuspicious emails.
While coronavirus topic became a goldmine for cybercriminals, there sometimes are good news. When a ransomware campaign started, infecting numerous users’ mobile phones by means of fake “Covid19 Tracker App” (the ransomeware demanded $100 for unlocking victims' devices), one user decompiled this malicious app and posted the universal passcode that defeated the ransomware. The passcode quickly became available to all after being shared on Twitter.