COVID-19 is being used in a variety of malicious campaigns including email spam, BEC, malware, ransomware, and malicious domains.
As the number of those afflicted continue to surge by thousands, campaigns that use the disease as a lure will likewise increase. The mention of current events for malicious attacks is nothing new for threat actors, who time and again use the timeliness of hot topics, occasions, and popular personalities in their social engineering strategies.
Many aspects of daily work, from meetings to presentations and collaborative tasks, have moved online because of quarantine restrictions affecting offices across the globe. As users adapt to new methods of working, they should be wary of cybercriminals using popular online tools, sharing software, and file attachments in their scams.
Many of the emails, purportedly from official organizations, contain updates and recommendations connected to the disease. Like most email spam attacks, they also include malicious attachments. One of the samples used the email subject “Corona Virus Latest Updates” and claimed to come from the Ministry of Health. It contained recommendations on how to prevent infection and came with an attachment that supposedly contains the latest updates on COVID-19 but actually carried malware.
Many of the spam emails were related to shipping transactions, either postponement due to the spread of the disease or one that provides a shipping update. One email informed about shipping postponement. The attachment, supposedly containing the details of the new shipping schedule, bears malware.
Cybercriminals are taking advantage of the public’s need for information, assistance, and supplies to victimize users. The US Department of Justice (DOJ) filed a temporary restraining order against a fraudulent website that is supposedly selling COVID-19 vaccine kits approved by WHO. However, there are no WHO-approved legitimate COVID-19 vaccines available in the market yet.
Malicious actors are also aware that many users across the globe are quarantined and spending more time looking for entertainment online. They use fake streaming sites, or sites offering entertainment promotions to appeal to users. As always, users should always be mindful of websites they regularly use, and to keep credentials to online accounts as private as possible.
A mobile ransomware named CovidLock comes from a malicious Android app that supposedly helps track cases of COVID-19. The ransomware locks the phones of victims, who are given 48 hours to pay US $100 in bitcoin to regain access to their phone. Threats include the deletion of data stored in the phone and the leak of social media account details. A look at their cryptocurrency wallet shows that some victims have already paid the ransom on March 20.
There are also reports of malicious Android apps offering safety masks to targets worried about COVID-19. Unfortunately the malicious app actually delivers an SMS Trojan that collects the victim's contact list and sends SMS messages to spread itself. So far, the app seems to be in the early stages of development and is simply trying to compromise as many users as possible.
A new cyberattack has been found propagating a fake COVID-19 information app that is allegedly from the World Health Organization (WHO). Bleeping Computer reports that the campaign involves hacking routers’ Domain Name System (DNS) settings in D-Link or Linksys routers to prompt web browsers to display alerts from the said apps.
Users reported that their web browsers automatically open without prompting, only to display a message requesting them to click on a button to download a “COVID-19 Inform App.” Clicking on the button will download and install the Oski info stealer on the device. This malware variant can steal browser cookies, browser history, browser payment information, saved login credentials, cryptocurrency wallets, and more.
Protecting Yourself Against Scams
Unfortunately, scammers use current situations like the COVID-19 pandemic to prey on collective fear and misinformation for their fraudulent activities.
There are measures you can take to avoid getting duped.
- Be wary of telltale signs of phishing scams: unknown senders, glaring grammatical errors, mismatched URLs, and outlandish stories.
- Do not provide your identifiable information such as personal details and bank account information. Check if a site is asking for more information than what’s logical. For example, signing up for a newsletter or notification list shouldn’t require you to share your email password.
- Cybercriminals might use “related” URLs (e.g., “paypalsupport-coronavirus”) to trick users into thinking legitimate organizations are using specialized websites for the pandemic. Users should also check such sites by looking at the company’s official sites or social media for any evidence that they have new domains up and running.
- A multilayered protection for your devices, such as computers and mobile phones, is also recommended for protecting all fronts and preventing users from encountering threats, such as spam and malware.