Zffoto - stock.adobe.com

Hackers Using COVID-19 Phishing, Website Spoofing for Credential Theft

Proofpoint observed over 300 COVID-19-related phishing campaigns since January, with hackers leveraging convincing phishing themes and website spoofing for credential theft.

Proofpoint researchers have detected a steep rise in spoofing attempts that leverage phishing attacks with COVID-19 themes and fake websites that mimic government agencies and non-governmental organizations (NGOs) to steal login credentials and valuable financial data throughout the pandemic.

Researchers observed and analyzed more than 300 COVID-19 phishing campaigns since January 2020, which revealed hackers are focused on credential theft. The sudden growth of these campaigns began in March 2020, when COVID-19 was declared a national emergency.

The insights join a host of recent reports detailing hackers’ efforts to take advantage of the Coronavirus pandemic for financial gain. From fraud attempts and phishing attacks, to targeting Virtual Private Networks (VPNs) and DNS routers, threat actors are banking on human nature to gain access to enterprise networks and to profit off of the crisis.

The latest COVID-19 research shows hackers are increasingly leveraging COVID-19-themed credential phishing website templates that mimic the World Health Organization, the Internal Revenue Service, the Centers for Disease Control, and other agencies.

The templates allow hackers to easily create high-quality malicious web domains for their COVID-19 phishing campaigns. Notably, Proofpoint found that many of the templates seen in these campaigns use multiple pages, which add to the quality of these deceptive campaigns.

For example, the template that spoofs WHO is designed to mimic the legitimate government login site, including the logo and color scheme. Proofpoint explained this model was the first example of a phishing template specific to COVID-19.

Meanwhile, the CDC-spoofing template asks the user to input their email address and password to gain access to a “Vaccine ID.” The template includes Microsoft Outlook, Google Gmail, and other email logos, as well as a direct copy of the Coronavirus graphic hosted on the legitimate CDC website.

“Credential phishing attackers often tailor their email lures with themes they believe will be the most effective and use general websites for actual credential harvesting,” researchers wrote. “The recent move to create custom COVID-19 payment phishing templates indicates that buyers view them as effective enough to warrant custom tactics to harvest credentials.”

The campaign began to drop off in April 2020, which Proofpoint noted “likely reflects a combination of saturation for COVID-19 payment theme phishing templates and a move towards other COVID-19 themes as many one-time payments were disbursed.”

The cyberattacks are tied to both well-known, established hacking groups to unknown individual hackers. The campaigns are primarily in English, but the researchers have also detected attacks using Spanish, French, Japanese, and other languages.

“It's clear threat actors follow trends closely,” researches explained. “We’ve seen throughout the COVID-19 situation how threat actors have followed the news and adapted their themes to match the unfolding public narrative.”

“The movement by governments in particular to offer financial support has caught the attention of threat actors who have moved not only to target those funds directly but to use them as themes for their malware and credential phishing attacks,” they added. “As the COVID-19 situation continues to unfold across the globe, we can expect these kinds of COVID-19 themed attacks to continue and threat actors to offer additional tools that can make those attacks easier to carry out.”

Fortunately, a host of security researchers and government agencies have been steadily working to provide resources and guidance designed to help healthcare providers and other organizations shore up some of the vulnerabilities that have emerged with the increase in telehealth and remote work during the pandemic.

Healthcare organizations should review telework guidance from the American Medical Association and the American Hospital Association and cybersecurity guidance for telework from the National Security Agency. The Office for Civil Rights also released a list of COVID-19 security threat resources, as well.

Microsoft also provided insights into human-operated ransomware campaigns that have plagued the sector in recent months. Most recently, the Healthcare and Public Health Sector Coordinating Council released guidance for tackling healthcare’s security tactical response and protecting the sector’s trade secrets and research.

Next Steps

Dig Deeper on Cybersecurity strategies