Office of the Chief Information Security Officer

March 9, 2020

Coronavirus themed phishing

Other scams

Phishing emails and emails containing malware often play to our innate fear responses. For example, recurring themes are urgent shipping notifications or warnings that an account will be closed if action is not taken immediately. Cybercriminals and other malicious cyber actors are looking for the latest trick to make their attacks more successful. An increasingly popular malicious tactic is the use of attention-grabbing world events as lures to increase click through rates, and therefore the success of the attacker’s phishing or malware campaign.

In December of 2019, the cybercriminal operators of the Emotet malware and botnet1 were observed using email lures to spread their malware that celebrated Greta Thunberg’s Time Person of the Year2 award, and instructed recipients to open an attached malware-laden document. Previously, Emotet operators crafted similar lures announcing the release of Edward Snowden’s memoir in September 20193. Now, the operators of this prolific botnet are at it again with lures warning of COVID-19 or portraying themselves as public health officials. In early February 2020, an Emotet campaign targeted Japanese speakers, impersonating a government disability welfare service provider4, just as the outbreak began to emerge in Japan.

Emotet is just one example of a threat leveraging Coronavirus fears. Other observed threats include:

  • Messages impersonating the US Center for Disease Control (CDC) offering guidance on how to respond to the coronavirus outbreak. These messages came from an impersonation domain (cdc-gov[.]org rather than the legitimate cdc.gov), and linked to a site that spoofed an Outlook Web Access login page to phish for credentials5.
  • Shipping industry targeted lures warning of supply chain disruption. These email messages contained attached infected word documents containing the AZORult information-stealing trojan6.
  • Mobile applications purporting to offer updates about the virus. Google recently removed almost all applications that reference the virus from its Android Play Store7, in response to concerns about misinformation spread. Android applications that reference the virus have also been found containing malware8.

When we are more fearful we are more vulnerable to manipulation. Malicious cyber actors want to leverage our concern for our health to advance their malicious cyber activities. There are analogues in our response to these cyber threats and threats to our health: simple preventative measures have a great impact on the efficacy of these threats.

When it comes to phishing and malware, look out for lures that attempt to instill fear, whether it is a seemingly urgent request to reset your account or a message warning about a scary global event. Double check that the sender is who you think it is, hover over links before clicking, do not open unsolicited email attachments, and ensure you are on a legitimate domain before entering your username and password. If you suspect an email message may contain malware or phishing, forward it as an attachment9 to help@uw.edu.

Related

Updated: Emotet Malware Report
Emotet Malware Online Training


More Articles


1 https://ciso.uw.edu/2018/12/10/emotet-malware/
2 https://www.proofpoint.com/us/corporate-blog/post/emotet-wishes-you-merry-christmas-greta-thunberg
3 https://threatpost.com/emotet-resurgence-continues-with-new-tactics-techniques-and-procedures/149914/
4 https://www.bleepingcomputer.com/news/security/emotet-uses-coronavirus-scare-to-infect-japanese-targets/
5 https://www.kaspersky.com/blog/coronavirus-phishing/32395/
6 https://www.proofpoint.com/us/corporate-blog/post/coronavirus-themed-attacks-target-global-shipping-concerns
7 https://www.theverge.com/2020/3/5/21167102/apple-google-coronavirus-iphone-apps-android-misinformation-reject-ban
8 https://twitter.com/malwrhunterteam/status/1230091623901650945
9 https://itconnect.uw.edu/connect/email/resources/protecting-your-email/forwarding-email-as-an-attachment/