Spotting cyber scams quickly in the midst of the COVID-19 pandemic is critical for organizations to stay ahead in this unprecedented situation.
Across the world, attackers are capitalizing on the COVID-19 pandemic to spread malware to unsuspecting victims, and we’re already seeing a real uptick in phishing and targeted spear-phishing campaigns. Hackers are essentially using COVID-19 as click-bait to gain access to our personal information. Knowing what to look for, and how to head hackers off at the pass, can help you navigate these complex times.
What are hackers after?
The short answer: anything they can use to gain access to information.
Credentials are a prized target. Attackers are using domains that closely resemble legitimate websites in high demand – and associated email addresses – to get potential victims clicking through, sharing details, or inadvertently opening themselves up to malware that will do the digging for them.
Hackers are masquerading as legitimate organizations
In the US, hackers have spoofed the email persona of the Centers for Disease Control and Prevention (CDC) to further their fraud activity. Attackers have “spoofed” sending email addresses to closely mirror the CDC’s and fool recipients into clicking through.
The same goes for websites. Reports of fraudulent domains that closely resemble the CDC’s official website (www.cdc.gov) are on the rise. Emails containing links like cdc.org or cdcgov.org are popping up and redirecting users to fake login pages for Microsoft, Facebook and Google where attackers can steal users’ credentials.
Malicious sites masquerading as the CDC are also prompting users to donate cryptocurrency to fund vaccine research – another evolving element of the scam. This type of activity is beyond the control of organizations like the CDC and does not suggest any underlying security concerns with the spoofed organizations.
What should your organization be watching out for?
First things first, the phishing emails we’re seeing typically come in two shapes: they either contain malware as an attached Microsoft Office document, or purport to be a reputable organization (like the CDC). Regardless of the type of email, the goal is the same: hackers are hoping you’ll click the link and enter your credentials.
AZORult malware, appearing to have originated in Russia or Eastern Europe, is a great example of that. This campaign has been targeting the transportation, manufacturing, industrial, pharmaceutical and finance industries through malicious documents. It exploits a known Microsoft Office vulnerability which allows for arbitrary code execution on the victim’s machine. That means once it runs, the malware steals information from the victim’s machine and sends it back to the attacker.
AZORult is also circulating as a website that purports to show a map of the virus’ spread. Corona-Virus-Map[.]com is a sleek and polished website, claiming to provide live information. But the website is a hoax. It delivers a variant of AZORult malware through a file called corona.exe, tricking users into downloading it. Once it’s run, the malware is capable of screenshotting, information gathering and credential stealing.