COVID-19-Related Phishing Lingers, as New Attacks Use Vaccine Themes

New reports from Armorblox and KnowBe4 show threat actors are continuing to prey on fears around the global COVID-19 pandemic, leveraging lures designed to increase the likelihood of success. The latest coronavirus-related phishing attacks use lures tied to vaccine availability.

Just as the coronavirus was deemed a national crisis, the number of phishing lures and related domains tied to the pandemic drastically spiked. And while the number of these phishing attacks died off by late May, many threat actors have continued their attempts to prey on virus-related fears.

The most recent COVID-19 spear-phishing and phishing campaigns targeted the workforce of COVID-19 vaccine supply chain vendors, with likely ties to Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program.

In the same vein, Knowbe4 discovered COVID-19-related phishing emails tied to vaccines. The lure attempts to exploit fears around vaccine availability in the US, following recent reports. As such, the malicious email leverages social engineering, telling the user they can fill out a form to receive the vaccine.

If a user clicks the malicious link, they’re directed to a credentials phish. Researchers noted that the email was not polished, but a sign of what’s to come.

“The social engineering scheme in both emails exploits some of the basic questions and concerns that users and employees will have about the several vaccines currently on the cusp of widespread distribution,” researchers explained. “Put very simply, this is pretty much what we expected.”

“Malicious actors had a field day back in March in April as the Coronavirus washed over countries around the world,” they added. “It was and still is the perfect tool for social engineering scared, confused, and even downright paranoid end users into opening the door to your organization's network.”

According to Armorblox, there’s no indication that COVID-19 based email attacks will die down in the near future. The report provided insights on common phishing campaigns that leverage COVID-19 as a lure.

One social engineering campaign is masked as COVID-19 relief from the IRS, claiming to contain a document on relief funds. Clicking the malicious link would bring the victim to a SharePoint form that asked the user to input credentials, as well as other sensitive information, like Social Security numbers and tax numbers.

But notably the SharePoint form that users are directed to is owned by an employee of the Reproductive Medicine Associates of Connecticut (RMACT). Researchers noted that it’s likely the employee’s account was compromised by the attackers.

What’s worse, as the phishing link directed users to a legitimate SharePoint page, the email evaded email security filters meant to block bad domains.

Another campaign mirrors earlier phishing attacks, impersonating automated messages sent from a provider and claiming to contain COVID-19 test results. Upon clicking the malicious link contained in the email, a malware-infected RAR file attempts to download the victim’s computer.

The messages attempt to bolster the appearance of legitimacy by mentioning the name of a nurse and using the sender name ‘Doctors Support’ and the subject line ‘Notification your test results COVID-19’.

The body of the email also contains a password and PIN to access the attached document, further lulling victims into a false sense of security.

One sophisticated phishing lure impersonates an automated message from SharePoint, claiming to contain a file on COVID-19 requirements. If a victim clicks the malicious link, they’re instead directed to a deceptive site hosted on Amazon Web Services (AWS). Researchers noted the site had been taken down at the time of publication.

The phishing attack bolstered its success by inserting the emails into existing workflows: the receipt of online documents from coworkers that prompt the user to take immediate action. The messages were also personalized to the targeted victim and included a footnote that stressed the link would only work for the email recipient.

Armorblox reminded organizations to ensure that at least 2FA is implemented across applicable endpoints and to leverage a password manager to store various account passwords.

Administrators should also create their own lines of authentication and instill those verification checks with employees.

“You should try to replicate 2FA, even if in a loose sense, for COVID-related email that expects an action from you,” researchers explained. “For example, did your doctor just email you test results in an attachment? Call or text the doctor and confirm that they sent the email. Even if they are very busy, they will understand and appreciate your caution.”

“To augment existing email security capabilities, organizations should invest in technologies that take a materially different approach to threat detection,” they concluded. “Rather than searching through static lists and blocking known bad domains, these technologies should learn from custom organizational data and be able to stop socially engineered threats like payroll fraud, impersonation, and COVID-based email scams.”