COVID-19 Phishing Schemes Escalate; FBI Issues WarningLatest Schemes Target At-Home Employees; Some Spoof Health Agencies
As the global COVID-19 pandemic worsens, security firms and law enforcement, including the FBI, are warning of increasing phishing and other cybercriminal scams targeting a largely at-home workforce.
Meanwhile, researchers also are finding that cybercriminals are continuing to spoof organizations that are providing COVID-19 updates to the public. For example, IBM X-Force found recent phishing emails spoofing the World Health Organization and claiming to come directly from Dr. Tedros Adhanom Ghebreyesus, the director-general of the United Nations organization.
The FBI issued a warning Friday after agents reported seeing spam and phishing campaigns that use government economic stimulus checks as lures. The FBI also warned of messages spoofing the U.S. Centers for Disease and Prevention, a tactic fraudsters used earlier.
"Look out for phishing emails asking you to verify your personal information in order to receive an economic stimulus check from the government," the FBI alert warns. "While talk of economic stimulus checks has been in the news cycle, government agencies are not sending unsolicited emails seeking your private information in order to send you money."
On Sunday, the Justice Department announced charges against the owners of a website that they allege fraudulently promised access to vaccine testing kits. Attorney General William Barr has promised a nationwide crackdown on such sites.
In the phishing emails that IBM researchers found, cybercriminals were using spoofed messages from WHO to spread HawkEye malware, a type of keylogger that has been gaining in popularity with cybercriminals gangs since newer versions were spotted by in the wild in July 2019.
IBM researchers first began seeing the spoofed WHO emails with Ghebreyesus' name on Thursday. These emails contain an attached file, called Coronavirus Disease (Covid-19) CURE.exe, which hides a .NET executable file, according to the IBM report.
Using obfuscation techniques, the first executable downloads a second .NET executable file that has the ability to turn off Windows Defender by changing registry items, according to the report. When the Hawkeye keylogger is downloaded, it gives the attackers the ability to capture screenshots and data from browsers and email clients including Mozilla, Postbox, Thunderbird, SeaMonkey, Flock, BlackHawk, CyberFox, KMeleon, IceCat, PaleMoon, IceDragon and WaterFox, according to IBM researchers.
Targeting Remote Workers
Meanwhile, the security firm AppRiver found cybercriminals targeting at-home employees with messages that notify workers of a positive COVID-19 test within their organization. The messages contain malicious attachments disguised as protocols that the company is undertaking as well as a "flyer" that recipients are asked to open, read and print out, according to AppRiver.
While these two attachments contain malware, the AppRiver report did not specify the strain or type.
Phishing emails and other cyberthreats targeting remote workers has experts, including Tom Kellermann, the head of cybersecurity strategy with VMWare Carbon Black, offering mitigation advice.
Kellermann advises practicing what he calls "digital distancing," which means employees should keep their work computer attached to a router and network that is separate from their home router. This dedicated work router needs to be updated and protected, he adds (see: COVID-19 and the Need for 'Digital Distancing').
Last week, the U.S. Department of Defense warned its military and civilian workforce to take security precautions to guard against potential hackers.
Managing Editor Scott Ferguson contributed to this report.