COVID-19 , Cybercrime , Fraud Management & Cybercrime

Fresh Twist for Pandemic-Related Phishing Campaigns

Microsoft Spots Malicious Messages Spreading LokiBot Infostealer
Fresh Twist for Pandemic-Related Phishing Campaigns

Fraudsters are honing their phishing emails tied to the COVID-19 crisis, using fake messages about business continuity plans and new payment procedures to spread the LokiBot information stealer, Microsoft researchers report.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

In a series of tweets, the Microsoft Security Intelligence team posted examples of these messages. One email contained the subject line: "Business continuity plan announcement starting May 2020." Another subject line announced: "E-Payment Bank Transactions," with the body of the phishing email describing how payments by check will no longer be accepted during the COVID-19 pandemic.

The phishing emails contain malicious attachments that, if opened, enabled macros that install the LokiBot information stealer, according to Microsoft.

The LokiBot malware has the ability to capture a wide range of information, such as passwords stored in a browser, email passwords and FTP credentials, according to a report by FortiGuard Labs, the research arm of Fortinet.

Since the World Health Organization declared COVID-19 a global pandemic in March, fraudsters, cybercriminals and even some nation-state threat actors have used the healthcare emergency to further their own goals, whether it's stealing credentials or spreading malware. LokiBot has proven to be one of the more popular malware variants used in phishing campaigns (see: Nation-State Hackers Using COVID-19 Fears to Spread Malware).

Several Nigerian-based gangs also have used LokiBot in their business email compromise schemes.

Latest Phishing Emails

Microsoft Security Intelligence first discovered the new phishing tactics in messages dated May 6 and May 7.

The phishing campaigns use ARJ files - a compression format for creating very efficient zipped files. Each file contains a malicious Microsoft Excel file. If it’s opened, the LokiBot payload is injected in the Windows' dynamic link library.

Recent phishing email spreading LokiBot (Source: Microsoft)

LokiBot can be difficult to detect because some anti-virus scanners will skip checking ARJ files, especially if a password is used to encrypt files, Tanmay Ganacharya, the director of security research at Microsoft Threat Protection, told BleepingComputer.

Increase in COVID-19 Scams

On Tuesday, security firm Check Point Software reported that its researchers have recorded 192,000 COVID-19-related attacks each week for the past three weeks. These attacks include the deployment of malicious domains and phishing emails.

Check Point also found that nearly 20,000 new domains using either COVID-19 or coronavirus in their names have been registered in the last three weeks. Of these, about 17% are considered suspicious or malicious.

Meanwhile, credit rating agency TransUnion found that telecommunications, ecommerce and financial services industries have been most affected by COVID-19-related fraud - including credit card fraud, and identity theft.

And VMware Carbon Black reported Thursday that it's recorded a 238% increase in cyber incidents targeting banks and other financial institutions between February and April that appear related to the start of the COVID-19 pandemic. Cryptocurrency miners and Emotet malware are commonly used, the company notes (see: Emotet Malware Alert Sounded by US Cybersecurity Agency).


About the Author

Ishita Chigilli Palli

Ishita Chigilli Palli

Senior Correspondent, Global News Desk

As senior correspondent for Information Security Media Group's global news desk, Ishita covers news worldwide. She previously worked at Thomson Reuters, where she specialized in reporting breaking news stories on a variety of topics.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.