4 minute read 18 Mar. 2020
woman programming coding

Protecting your organization during a pandemic

By Chandra Majumdar

EY Canada Cyber Threat Management Leader

Offering clients the next generation of protection to safeguard what matters most to them.

4 minute read 18 Mar. 2020

Spotting cyber scams quickly in the midst of the COVID-19 pandemic is critical for organizations to stay ahead in this unprecedented situation.

Across the world, attackers are capitalizing on the COVID-19 pandemic to spread malware to unsuspecting victims, and we’re already seeing a real uptick in phishing and targeted spear-phishing campaigns. Hackers are essentially using COVID-19 as click-bait to gain access to our personal information. Knowing what to look for, and how to head hackers off at the pass, can help you navigate these complex times.

What are hackers after?

The short answer: anything they can use to gain access to information.

Credentials are a prized target. Attackers are using domains that closely resemble legitimate websites in high demand – and associated email addresses – to get potential victims clicking through, sharing details, or inadvertently opening themselves up to malware that will do the digging for them.

Hackers are masquerading as legitimate organizations

In the US, hackers have spoofed the email persona of the Centers for Disease Control and Prevention (CDC) to further their fraud activity. Attackers have “spoofed” sending email addresses to closely mirror the CDC’s and fool recipients into clicking through.

The same goes for websites. Reports of fraudulent domains that closely resemble the CDC’s official website (www.cdc.gov) are on the rise. Emails containing links like cdc.org or cdcgov.org are popping up and redirecting users to fake login pages for Microsoft, Facebook and Google where attackers can steal users’ credentials.

Malicious sites masquerading as the CDC are also prompting users to donate cryptocurrency to fund vaccine research – another evolving element of the scam. This type of activity is beyond the control of organizations like the CDC and does not suggest any underlying security concerns with the spoofed organizations.

What should your organization be watching out for?

First things first, the phishing emails we’re seeing typically come in two shapes: they either contain malware as an attached Microsoft Office document, or purport to be a reputable organization (like the CDC). Regardless of the type of email, the goal is the same: hackers are hoping you’ll click the link and enter your credentials.

AZORult malware, appearing to have originated in Russia or Eastern Europe, is a great example of that. This campaign has been targeting the transportation, manufacturing, industrial, pharmaceutical and finance industries through malicious documents. It exploits a known Microsoft Office vulnerability which allows for arbitrary code execution on the victim’s machine. That means once it runs, the malware steals information from the victim’s machine and sends it back to the attacker.

AZORult is also circulating as a website that purports to show a map of the virus’ spread. Corona-Virus-Map[.]com is a sleek and polished website, claiming to provide live information. But the website is a hoax. It delivers a variant of AZORult malware through a file called corona.exe, tricking users into downloading it. Once it’s run, the malware is capable of screenshotting, information gathering and credential stealing.

Malware-hiding coronavirus infection map

Malware-hiding coronavirus infection map

We’re also seeing examples of phishing campaigns that capitalize on a reputable name to lure would-be victims in. For example, hackers are using prominent physician names from leading organizations such as the World Health Organization to up their credibility and deliver a variant of TrickBot malware.

TrickBot is a modular piece of malware that can be used to steal information and drop additional malware onto the victim’s computer. This campaign uses malicious Microsoft Office documents to deliver the payload, and cons users into opening the document by claiming to give important COVID-19 updates.

Emotet malware has also been linked to COVID-19 phishing attacks. Emotet originally started off as a banking trojan which stole credit card information, but it’s since morphed capabilities. Today, it’s often used as a jumping-off point for other malware, including ransomware. Where COVID-19 is concerned, attackers are bundling their emails with malicious Microsoft Office documents containing macros. Those macros then download Emotet through a PowerShell script.

Keyloggers are also popular right now. Keyloggers can record every keystroke a user makes. That gives attackers access to usernames, passwords, bank accounts and anything else the user types. Attackers are making the most of this through malicious Microsoft Excel documents they’re sending via email. The documents then install the Agent Tesla Keylogger by convincing users their attachment contains a list of companies affected by COVID-19.

How can you protect yourself and your organization?

Attackers will take full advantage of these types of situations – and you need to be prepared accordingly. Understanding how malicious activity is carried out is the first step to defending your networks and data.

Consider these tips as you work to prevent attacks:

  • Obtain COVID-19 information directly from trusted sources.
  • Conduct mock phishing exercises and educate employees on the dangers of phishing.
  • Be cautious when viewing email from unknown senders. Check the email headers for suspicious sender addresses. If it doesn’t feel right, it might not be.
  • Only open attachments of verified, trusted senders and – importantly – only those which you are expecting to receive.
  • Be aware of links in emails and only click those that you can verify and trust.
  • Ensure all systems are patched and the latest updates are installed.

Even during a pandemic, cybersecurity threats show no signs of slowing down. Visit ey.com/ca/cyber to find out how EY can help you mitigate threats and protect your business.

Reference articles:

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity.


Hackers are already capitalizing on COVID-19 to launch harmful new attacks around the world. Knowing what those scams look like, and keeping these tips in mind, can help as you bolster your defences.

About this article

By Chandra Majumdar

EY Canada Cyber Threat Management Leader

Offering clients the next generation of protection to safeguard what matters most to them.