Email scammers typically use information obtained through cybercrime (e.g., hacking, phishing and/or use of malware) or through data leakage (e.g., from online sources and/or unsecure Wi-Fi connections) to target organizations. They impersonate executives, clients or business partners of the targeted organizations and request money transfers, often on an urgent basis. Two common types of such frauds are the CEO Fraud and the Mandate Fraud. In both, staff within the targeted organizations’ account departments receive emails from spoofed email addresses (i.e., those that have been altered to appear as if they have been sent by someone other than the actual sender) requesting payment to be made. The former includes requests from purported senior executives of the organizations for payments for an ongoing business transaction or a confidential new deal, while the latter includes requests from purported clients or business partners for payment for products or services to a new bank account.
COVID-19 cyberfraud tactics
As fears about COVID-19 continue to spread, cybercriminals have used a variety of tactics that exploit the widespread hunger for news about the coronavirus outbreak, using them as a phishing lure to gain access to information directly or through the use of implanted malware. We set out below some of the tactics employed.
Some phishing campaigns have incorporated fake domains designated to look like world health organizations. For example, cybercriminals have been sending out phishing emails that contain domain names similar to those used by the Center for Disease Control (“CDC”). While the actual centers for disease control domain is “cdc.gov”, the attackers have incorporated the domain “cdc-gov.org" within their phishing emails. These CDC-themed phishing emails encourage recipients to click on a link that contains details about new cases of coronavirus around their neighborhood. The link, portrayed as steering recipients to the CDC website, instead redirects victims to a fake website which looks like an email account login page, where targets are asked to enter their username and password.4
A security firm also published a report about a sharp increase in the number of domains being registered related to coronavirus. An example of such a website is “vaccinecovid-19.com”, first created on 11 February 2020 and registered in Russia. The website is insecure and offers to sell “the best and fastest test for coronavirus detection at the fantastic price of 19,000 Russian rubles (about US$300).”5
Other cybercriminals have been sending out phishing emails that use concerns over coronavirus-related disruptions to entice victims to open an attached document that installs the AZORult information stealer, which assists users to ensure owner anonymity and to make it difficult to block the command-and-control server. Emotet contained in phishing emails has also been used to install malicious code on endpoints it has infected, as well as giving it the ability to scrape victims’ computers for contact information. In addition, some attackers have increasingly rented Emotet botnets to install other malware, including Trickbot and various strains of ransomeware. Once the malware is downloaded, Emotet uses the infected system to send out additional phishing emails and spam with a view to growing the botnet.
In late January 2020, IBM X-Force researchers discovered a first wave of phishing scams that targeted some regions in Japan to spread the Emotet Trojan, as well as other malware, by using malicious messages that appear to contain information about COVID-19.6 Each of these phishing emails also contains an attached document, which is portrayed as offering updates of health information. In many cases, the analysts found cybercriminals attempting to deploy a number of Trojans to victims’ devices. If the file attachment is opened and Office 365 macros are enabled, an obfuscated VBA macro script begins running in the background, which then installs a Powershell script and downloads the Emotet Trojan.7 In one email, the attackers stated that the coronavirus had been detected in Osaka, while another mentioned the Gifu region of Japan. It appears that the attackers use specifically tailored warnings and language to scare inhabitants in those areas, making them more likely to click on the attachment. The emails also end with a footer that mentions a legitimate postal address as well as a fax and phone number.8
In another campaign, cybercriminals were sending out phishing emails that appeared to originate from the World Health Organization (the “WHO”). The emails urged the victims to click on a button to download a “document on safety measures regarding the spreading of corona virus”. By clicking on the link in the email, victims are led to a webpage that looks similar to the WHO website but contains a popup screen asking users to submit the username and password associated with their email address. If someone enters their credentials, the information is sent to the attackers.9
Other cybercriminals have taken a different tactic, zeroing in on concerns around the potential effects that COVID-19 may have on global shipping. In phishing emails that Proofpoint found, the messages contain the subject line “Coronavirus – Brief note for the shipping industry”. The document attached to the email contains malicious code that then attempts to install the AZORult malware.10