The first coronavirus phishing scams were pretty obvious. Mostly, they hoped to trick people into visiting sites that the emails claimed offered special treatments or gave out some sort of secret information. In fact, most such emails were captured by spam filters.
Now, however, as the virus spreads throughout the world and more people become concerned about their personal well-being, scammers are using more sophisticated techniques to gain the attention of the fearful. I will look at a few of the better crafted of these scams here.
Scam 1 – Coronavirus Victims in Your Region
Most of these emails take the form of a warning from the Center for Disease Control. Here is the header from one of these.
Notice that the sender’s email address seems, at least on the surface, to be legitimately from the CDC.
The messages vary, but all of the emails in this genre say that there are now coronavirus victims in your area. In order to find out the exact locations of these victims, you need to click on a link called something like the following.
Clicking on the link will redirect you through several sites which finally take you to the phishing page. Here you will see an Outlook sign in with your email already in place.
Entering your password will send you on to a legitimate CDC page with no specific information of infections in your area.
Unfortunately, in the process, the attackers now have your login credentials and they can do what they want with them.
Scam 2 – W.H.O. List of Affected Companies
This one isn’t as well-designed as the previous email. The grammar is clearly nonnative English, as can be seen here.
It contains a legitimate W.H.O. address as a footer and has an attachment named “Safety Precautions.” The attachment shows an Excel icon but is really an .exe or .rar file. If downloaded and opened, the file will install the Agent Tesla keylogger.
Agent Tesla is a password stealing program that is available as a subscription for $15 a month. It has the ability to hide and evade antivirus software. It can also do a lot more than just steal passwords. Fortunately, most people will be able to tell that the email is not what it tries to be. However, one note of caution. Some of the most recent W.H.O. phishing emails are much better designed with good English and an actual W.H.O. logo as can be seen below.
Scam 3 – Change in Company Policies Due to Coronavirus
This scam targets company employees and will appear to come from management, often the president. It may have the company logo to appear legitimate. In the example below, you can see how the company name and current date are programmed to appear.
The scam is designed to download malware if the link is clicked.
Here is another scam email that is well-written and which uses the company and president’s actual name (the names in the example do not actually exist).
Here, the employees are required to read the attachment. For some, this would be enough of an incentive for them to try to open it. The attachment could also concern new policies. In any event, it will eventually lead you to a fake Outlook sign in page as seen in the CDC letter above.
Remember, although this email mentions policies relevant to China, the topic could be updated with changes in the geographic spread of the virus. For example, other countries or regions, such as Europe, could be substituted. If the main foreign branches of a company are known, these could also form the theme for such emails, giving them an appearance of legitimacy.
Scam 4 – Update for Clients and Partners
This phishing email targets companies that have operations in China or those that depend on China for vital supplies. As above, keep in mind that the targeted region could change with the spread of the coronavirus. Here is one variety of regional targeting from Proofpoint.
This type of phishing email is likely to claim a lot of victims. The company names, email addresses, and websites mentioned may be legitimate. Everything may seem to check out. There is only one problem. The attachment which is mentioned in the email (“Please find attached our rescheduled resumption date including ways to contact our other factories inside China.”) will not do what it says it does. According to Proofpoint, downloading and opening the attachment will install the NanoCore remote access Trojan.
The addition of NanoCore RAT plus the legitimate appearance of the email make this attack far more dangerous than most. NanoCore RAT has been called “one of the most sophisticated RATs in the market”. Once released, it will not only take over the victim’s system, but can remain hidden as it works its way through a corporate network. It is not clear who would deploy such an attack. An individual hacker could use it to gather saleable personal information or a nation-state could use it to gather information. Let’s just say it is one that employees should learn to avoid.
Scammers love to blend their attacks in with current news items. Often, the first attempts are amateurish, often asking for donations or telling them to click on links for a variety of purposes. These early attacks usually come from individual hackers. The next wave of attacks is better and often tries to get the victim to download infected attachments. Here is where more organized hacking groups may get involved as stolen information needs to be sent to C&C sites for collection. The longer the news item lasts, the better the attacks become. As the coronavirus spreads throughout the world the scams become more targeted and appear more legitimate. Here is where nation-states may try to use them to gather important corporate or governmental information. These attacks will often penetrate the corporate network and make an effort to remain hidden as they steal information and send it on to the controllers.
It appears we are at this final stage now. This means that future attacks will be more likely to compromise companies and government agencies and we won’t even learn about them for many months, possibly even after the coronavirus has become a minor concern.