Getty Images/iStockphoto

New COVID-19 Spear-Phishing, Spoofing Attacks Mimic Google, WHO

Barracuda detected a new impersonation attack, where hackers spoof Google-branded sites in spear-phishing campaigns. Meanwhile, Google details spoofing campaigns mimicking WHO.

Cybercriminals are once again working to take advantage of the COVID-19 pandemic through two new phishing campaigns: Hack-for-hire groups are spoofing the World Health Organization (WHO), while other hackers are impersonating Google-branded sites. Both campaigns are designed to harvest user credentials.

The reports mirror recent Proofpoint research, which found a dramatic increase in spoofing attempts through phishing campaigns and fake websites leveraging COVID-19-related themes. In those campaigns, hackers mimic government agencies and non-governmental organizations (NGOs) to steal login credentials and financial data.

The first report from Barracuda details a new impersonation attack, specifically a form-based-attack, which is disproportionately leveraging Google-branded sites in an effort to trick users into sharing their login credentials.

Form-based attacks are when scammers use file, content-sharing, or other productivity sites like docs.google.com or sway.office.com to dupe victims into sharing their credentials. Leveraging phishing, the emails contain links to one of those legitimate sites, which makes the specialized attack challenging to detect.

What’s worse, one detected variant is able to steal account access even if the user does not provide the credentials.

Researchers observed almost 100,000 form-based attacks between January 1 and April 30, making up 4 percent of all spear-phishing attacks sent during that timeframe. Those numbers are expected to rise as hackers successfully harvest credentials from those attacks.

Of those attacks, Google file sharing and storage websites were used 65 percent of the time, including storage.googleapis.com (25 percent), docs.google.com (23 percent), storage.cloud.google.com (13 percent), and drive.google.com (4 percent).

Meanwhile, Microsoft branded sites were used in 13 percent of these attacks, which include onedrive.live.com (6 percent), sway.office.com (4 percent), and forms.office.com (3 percent). Other sites included in the campaign include, sendgrid.net (10 percent), mailchimp.com (4 percent), and formcrafts.com (2 percent).

There are three common tactics leveraged in form-based attacks. To start, hackers will use legitimate sites as intermediaries, impersonating emails that appear to be sent from a file sharing site and will take the user to a phishing site through a legitimate file sharing site. The threat actor will then send an email containing a link to a file stored on a site with a link to a phishing site asking the user to login.

In the second method, hackers will create an online form using a legitimate service. The malicious form mimics the login page of the legitimate service but actually contains a link to a form included in phishing emails to harvest credentials.

“These impersonation attacks are difficult to detect because they contain links pointing to legitimate websites that are often used by organizations,” researchers explained. “However, services that request account verification or password changes do not normally use these domains.”

The third method – and most severe – gives hackers access to a victim’s account without stealing credentials. Researchers explained the initial phishing email contains a malicious link to a site that mirrors a typical login page, where “even the domain name in the browser window appears to match what user may expect to see.”

“However, the link contains a request for an access token for an app. After login credentials are entered, the victim is presented with a list of app permissions to accept,” researchers explained. “By accepting these permissions, the victim is not giving up passwords to attackers, but rather grants the attacker’s app an access token to use the same login credentials to access the account.”

“With one particularly nasty variant of this attack, even two-factor authentication will do nothing to keep attackers out,” they continued. “Attacks like these are likely to go unnoticed by users for a long time. After all, they used their credentials on a legitimate website.”

WHO-Impersonation Campaigns Continue

In mid-March, MalwareBytes Lab researchers reported a resurgence in malspam phishing campaigns impersonating WHO. The first attacks were seen on March 7, prompting researchers to monitor for these campaigns in light of hackers working to take advantage of the COVID-19 pandemic.

According to new insights from Google, researchers have detected new activity from hack-for-hire firms creating Gmail accounts that mimic WHO. These attacks are primarily based in India and have largely targeted business leaders from healthcare corporations, consulting, and financial services around the globe, including the US.

These lures will urge users to sign-up for direct notifications from WHO on any COVID-19-related announcements and link instead to websites hosted by the hackers. These sites “bear a strong resemblance to the official WHO website."

“The sites typically feature fake login pages that prompt potential victims to give up their Google account credentials and occasionally encourage individuals to give up other personal information, such as their phone numbers,” researchers explained.

“Government-backed or state-sponsored groups have different goals in carrying out their attacks: Some are looking to collect intelligence or steal intellectual property; others are targeting dissidents or activists, or attempting to engage in coordinated influence operations and disinformation campaigns,” they added.

In the last month, Google has sent 1,755 warnings to users whose accounts were targeted by government-based hacking groups. Its researchers noted 2020 has been dominated by the pandemic, with a massive resurgence in COVID-19-related phishing and hacking attempts from commercial and government-based attackers.

Mitigation Recommendations

As hackers continue to modify attack methods to bypass email gateways and even spam filters, the use of AI for email platforms can better detect and block attacks, according to Barracuda researchers. Machine learning can analyze normal user communication patterns, rather than a tool that seeks malicious links or attachments contained in emails.

Further, organizations should invest in technology able to identify suspicious activity and signs of potential account takeover, “such as logins at unusual times of the day or from unusual locations and IP addresses. Track IPs that exhibit other suspicious behaviors, including failed logins and access from suspicious devices.”

“Monitor email accounts for malicious inbox rules as well. They are often used as part of account takeover,” researchers explained. “Criminals log into the account, create forwarding rules and hide or delete any email they send from the account, to try to cover their tracks.”

And as repeatedly noted by security leaders and federal agencies, multi-factor authentication should be deployed across the enterprise, while user education is crucial to ensuring employees understand potential fraud attempts and how to report suspicious emails.

Healthcare organizations can also review cyber scam insights from the Office for Civil Rights, which also released a list of privacy and security resources aimed at shoring up the sector’s defenses amidst the rise in targeted attacks spurred by COVID-19 crisis.

Next Steps

Dig Deeper on Cybersecurity strategies