Anti-Phishing, DMARC , COVID-19 , Cybercrime
Microsoft Seizes Domains Used for COVID-19 Phishing Scam
Software Giant Asked Federal Court for Injunction Against Unnamed Hackers
A U.S. federal court has issued an injunction that gives Microsoft permission to seize control of several malicious domains being used to operate a COVID-19-themed phishing scam, according to court documents unsealed this week.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The U.S. District Court for the Eastern District of Virginia issued the injunction, according to the documents unsealed Monday. The order was obtained after Microsoft brought a civil suit against two unnamed defendants associated with the malicious domains used in the campaign and requested the court grant the motion to disable the sites. In its complaint, Redmond argued that defendants allegedly were attempting to harm the company and its customers.
Microsoft’s Digital Crimes Unit first located the domains in December 2019, and then noticed earlier this year that they were being used in conjunction with COVID-19-themed phishing scams, according to the company.
"Microsoft seeks a preliminary injunction directing the registries associated with these Internet domains to take all steps necessary to disable access to and operation of these Internet domains to ensure that changes or access to the Internet domains cannot be made absent a court order and that all content and material associated with these Internet domains are to be isolated and preserved pending resolution of the dispute," according to the court document.
The federal court issued the injunction on July 1 stating there is "good cause to believe the defendants have engaged in and are likely to engage in acts or practices that violate the Computer Fraud and Abuse Act."
The Scam
The scheme was centered on socially engineered phishing emails that contained references to COVID-19 and offered a possible financial bonus in order to induce the victim to click on a malicious link, according to Microsoft.
"Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application. Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account," Microsoft notes.
This gave the hackers access to the target's email, contacts, notes and material stored in their OneDrive for Business cloud storage space and corporate SharePoint document management and storage system, Microsoft adds.
"This unique civil case against COVID-19-themed [business email compromise] attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers," Tom Burt, corporate vice president of customer security and trust at Microsoft, noted in a blog post about the case.
Since the World Health Organization declared COVID-19 a pandemic in March, security firms have noticed a significant uptick in fraudsters and hackers using the healthcare crisis in phishing emails and spam as a way to lure victims. In a report issued in June, Microsoft found that these types of schemes have slowed down significantly over the past several weeks (see: COVID-19-Themed Phishing Campaigns Diminish).
Earlier, Similar Scam
A similar campaign was detected in December 2019 by Microsoft’s Digital Crimes Unit when the threat actors released a phishing campaign designed to compromise Microsoft accounts, the company reported. The attack was detected and thwarted.
"Microsoft utilized technical means to block the criminals’ activity and disable the malicious application used in the attack. Recently, Microsoft observed renewed attempts by the same criminals, this time using COVID-19-related lures in the phishing emails to target victims," the company says.
Managing Editor Scott Ferguson contributed to this report.
