Coronavirus Fears Lead to New Wave of Phishing, MalwareEuropean Central Bank Among Those Issuing Warnings
As COVID-19 spreads throughout the globe, with the potential to affect the economies and stock markets throughout Western Europe and the United States, cybercriminals are sending more phishing emails with this worldwide health emergency as a lure, according several security research reports released over the last week.
The number of cyberthreats related to the new coronavirus, COVID-19, has grown enough over the last 60 days that the European Central Bank released a letter warning financial institutions about increases in phishing and other related cybercrimes.
In the letter, the central bank for EU countries that use the euro warns not only of the financial dangers that banks and other institutions face from the coronavirus, but stresses that now is the time for "assessing risks of increased cybersecurity related fraud, aimed both to customers or to the institution via phishing mails, etc."
As of Tuesday morning, the novel coronavirus had led to the deaths of over 4,000 and infected more than 115,000 worldwide, according to a research team at Johns Hopkins University.
While researchers first noticed this uptick in phishing and spam campaigns leveraging references to the coronavirus in January, the trend has picked up as the virus has spread worldwide (see: Phishing Campaigns Tied to Coronavirus Persist).
" A lot of people are going to fall for phishing and telephone scams related to the 'coronamania' and the correction in the markets," says Joseph Krull, an analyst with Aite Group and a former CISO, referring to Monday's stock plunges.
In a note released Thursday, researchers at security firm Check Point said that the number of registered domains related to coronavirus have increased since January, and a small but significant portion of these are likely related to phishing and other malicious activity.
"Since January 2020, there have been over 4,000 coronavirus-related domains registered globally. Out of these websites, 3 percent were found to be malicious and an additional 5 percent are suspicious," according to Check Point researchers. Many of these malicious domains are created for phishing campaigns, they point out.
An example of these types of phishing campaigns was found Friday by the Malware Hunting Team, a group of anti-malware researchers. In a post to the group's Twitter account, researchers describe a phishing campaign that is spoofing the domain of the World Health Organization, which is part of the United Nations.
The phishing email, which offers a "Coronavirus Update," contains a zipped attachment that is portrayed as offering stats and updates on the virus, according to the report. It also contains a malicious executable called "MyHealth.exe," which is disguised as a Excel spreadsheet, the researchers report.
Email w/ subject "Coronavirus Updates" faking from "World Health Organization" containing zip attachment which contains "MyHealth.exe" (e36e8d05c42c3084ffffd875300ce22f559e47109653887c8889d50c7721e854) that is GuLoader (w/ default icon).— MalwareHunterTeam (@malwrhunterteam) March 6, 2020
Payload: Formbook (thx @James_inthe_box). pic.twitter.com/StU68THrXy
This file contains a malware downloader, which then attempts to install a infostealer called FormBook that's capable of "capturing screenshots of a victim's desktop, monitoring clipboard, keystroke logging, clearing browser cookies, downloading and executing files," according to a 2019 report from security firm Cyware about this strain of malware.
In February, the World Health Organization warned that cybercriminals were using its logos and other details from its websites to create more realistic-looking phishing emails designed to send victims to a fake landing page that contains a popup screen asking users to verify the username and password associated with their email address. If someone enters their credentials, the information is sent to the attackers, according to the report.
Similar malicious campaigns have spoofed the U.S. Centers for Disease Control and Prevention (see: More Phishing Campaigns Tied to Coronavirus Fears).
Security firm Sophos also recently identified a malicious campaign that was targeting Italian residents using fake email portrayed as being from the World Health Organization. The email contains information in Italian with the subject line "Coronavirus: Important information on precautions."
These phishing emails also contain an attached Word document, which Sophos researchers note is embedded with software modules that are used to spread TrickBot, a one-time banking Trojan that is being increasingly used to deliver different variants of ransomware (see: Malware Most Foul: Emotet, Trickbot, Cryptocurrency Miners).
These phishing email are made to look more legitimate because they are written in Italian and quote an Italian WHO official, according to Sophos. Italy has been hard-hit by the coronavirus, and the government has now ordered a nationwide lockdown to keep the virus from spreading, according to the New York Times.
Managing Editor Scott Ferguson contributed to this report.