Getty Images/iStockphoto

Report: Rise in COVID-19 Vaccine Social Engineering, BEC, Phishing

Much as they’ve done throughout the pandemic, hackers are continuing to spread phishing, malware, and BEC through COVID-19 vaccine social engineering lures.

Recent Proofpoint research shows hackers are continuing to prey on fears tied to the COVID-19 pandemic. And as the vaccine rollout continues, social engineering lures are being leveraged in malware, phishing, and business email compromise (BEC) attacks.

Throughout the year, security researchers have consistently warned that hackers are using the pandemic to their advantage in a number of attacks. It follows repeated trends of cybercriminals leveraging popular, ongoing global headlines to prey on human fears.

With each stage of the pandemic, through personal protective equipment shortages and up to the recent vaccine rollout, hackers have continued to tweak phishing and fraud lures to match common trends.

The report follows a recent advisory from the FBI and Department of Health and Human Services that warned cybercriminals are preying on COVID-19 fears via fraud schemes that aim to steal personal data from victims.

The latest campaigns bear similar hallmarks, with Proofpoint observing an increase in the number of attacks leveraging COVID-19 vaccine news over the last two months.

The themes include government vaccine approvals, vaccine deployment logistics, and vaccine distribution to frontline workers, among others. The rise in email-borne attacks include examples of abusing popular brands and organizations, such as the World Health Organization, DHL, and vaccine manufacturers. 

The lures cover a range of topics around the vaccine, like COVID-19 fears, economic recovery, and forms to assist with receiving the vaccine, along with other popular topics. The campaign is targeting entities in the US, Canada, Germany, and Austria.

Proofpoint observed one BEC attack method purports to be sent from an executive and asks the recipient to cooperate with a confidential acquisition or bogus merger. The emails were sent to employees in various roles, including vice presidents, general managers, and managing directors.

Another BEC campaign banked on urgency, asking the user to complete a task for the sender before the sender left for a meeting. The email requests the user send over their number, as a way to impress urgency. The emails “increase the stress by giving the recipient less time to think about their response and allowing the attacker to pivot outside of a protected ecosystem.”

Meanwhile, one phishing attack asks the user to confirm their email address to sign up for a vaccine appointment. The subject refers to COVID-19 vaccine dose supplies, and the body contained a malicious link that directed the user to a false webpage, encouraging the user to login to obtain a vaccine.

“In this medium-sized campaign (hundreds of messages), threat actors began delivering messages on January 1, over four days, targeting dozens of different industries in the US and Canada,” researchers explained.

“The goal of this phishing campaign was to steal Office 365 login credentials (email and password),” they added. “This campaign was notable because it capitalized on the recent government approval of vaccines and the rush to receive it.”

In particular, the phishing email refers to government approval of the COVID-19 vaccine, providing a link that directs individuals to where they can supposedly register to receive one. At the time of the campaign, on US first responders and doctors on the front lines were getting the vaccines.

The emails also abused COVID-19 manufacturer names as a further way to entice users to interact with the malicious email.

One COVID-19 phish was leveraged by the hackers behind Agent Tesla RAT malware. The  subject line abuses the WHO logo and name. Targeting a variety of sectors, the emails contain an attachment labeled “Download New Vaccines COVID-19 Report Safety.”

Proofpoint has observed this same actor spreading RATs, stealers, keyloggers, and downloaders, since at least 2019. A March 2020 campaign also leveraged COVID-19 email lures, while in August a similar campaign leveraged malicious emails that offered PPE.

Instead, the emails delivered Agent Tesla onto the victim’s device.

The final COVID-19 campaign uses DHL-themed phishing emails. The message tells the user there’s a problem with a package delivery and asks the individual to correct their address to receive their delivery. The user is instead brought to a malicious landing page disguised as an official DHL site.

“The goal of this phishing campaign was to steal email login credentials (email address and password),” researchers explained. “While the email body content is typical for a package delivery service phish, the notable difference was in one of the subject variants.”

“The subject ‘COVID-19 vaccine distribution- Re-confirm your delivery address’ implied to the recipient that the specified package is supposedly a COVID-19 vaccine,” they added.

Given the increase in targeted attacks on the healthcare sector, providers should review previous phishing guidance provided by Microsoft, Europol, and the Office for Civil Rights to better understand phishing and other related threats.

Next Steps

Dig Deeper on Cybersecurity strategies