Getty Images

OCR Shares COVID-19 Cyber Scam Advice, as Hackers Impersonate WHO

Hackers are taking advantage of the COVID-19 outbreak by impersonating WHO in coronavirus phishing campaigns. In response, OCR urges providers to review DHS cyber scam advice.

The Office for Civil Rights issued an alert for healthcare providers urging them to review recent COVID-19 cyber scam guidance from the Department of Homeland Security, as hackers continue to target users with coronavirus phishing campaigns.

Healthcare providers are being warned to stay vigilant for these types of scams first outlined by DHS’ Cybersecurity Infrastructure Security Agency on March 6.

Cybercriminals are sending emails with malicious attachments or links to fraudulent websites in an attempt to gain access to sensitive information. As a result, organizations should be cautious when handling emails with subject lines, attachments, or hyperlinks related to Coronavirus, or COVID-19.

The Malwarebytes Lab research team has also seen a resurgence of a malspam phishing campaign impersonating the World Health Organization. The first campaign was discovered by MalwareHunterTeam on March 7.

Researchers have been monitoring for these types of campaigns in light of the rise of hackers taking advantage of the pandemic. On March 17, Malwarebytes again observed a WHO-related phishing campaign.

The subject line reads “Latest on the corona-virus.” While the misspelling could alert users to the maliciousness of the attack, the impersonation of WHO could tempt users to open the email. The actors are using a fake e-book to lure potential victims, claiming the resource contains coronavirus research and guidance on how to protect businesses and children from infection.

To increase the chance of success, the threat actors added teaser content within the body of the email, including four transmission scenarios for COVID-19 and response actions. Windows users are then told the book can be downloaded for free access.

If the malicious .zip attachment is opened, GuLoader malware is then downloaded onto the victims’ network. Malwarebytes explained that GuLoader is used to download Formbook, an information-stealing Trojan stored in encoded format of Google Drive.

“Formbook is one of the most popular info-stealers, thanks to its simplicity and its wide range of capabilities, including swiping content from the Windows clipboard, keylogging, and stealing browser data,” researchers wrote.

“Stolen data is sent back to a command and control server maintained by the threat actors,” they added.

Fortunately, despite obvious attempts to appear reputable, a close examination of the email body reveals several grammatical errors and unmatching fonts.

However, researchers warn that many users have fallen for less convincing schemes. And with more employees working remotely and using remote platforms, the “highly distributed network is increasing” – as is the risk.

CISA’s recommendations include not clicking links in unsolicited emails and being suspicious of email attachments. Phishing education has been proven to reduce healthcare’s cyber risk. Organizations can find helpful spear-phishing insights from Microsoft and Europol.

Further, employees should be encouraged to get up-to-date, factual Coronavirus information from trusted sources, like the Centers for Disease Control and Prevention, while ensuring they don’t reveal any personal or financial information via email nor respond to email requests for information.

CISA has also shared risk management insights for COVID-19 to help organizations evaluate the cybersecurity, physical, and supply chain risks that may arise due to the pandemic. The agency is working with industry stakeholders on containment and mitigation strategies, as healthcare professionals will prove crucial during the national emergency.

In terms of cybersecurity, the guidance recommends that as organizations explore alternative workplace options, they ensure the security of their IT systems by testing the capacity of remote access solutions, securing systems that enable remote access, and ensuring the continuity of operations plans or business continuity.

Further, CISA reminded organizations to ensure the security of virtual private networks (VPN) and other remote platforms. The agency recently warned organizations that hackers are also targeting these vulnerable ports with cyberattacks to take advantage of the pandemic.

Organizations should also increase the awareness of IT support, while enhancing system monitoring. Incident response plans should also be updated to include workforce under this environment, and multi-factor authentication should be implemented to support changes in the distributed environment.

Employees should be reminded not to respond to email solicitations for disinformation campaigns.

“Malicious cyber actors could take advantage of public concern surrounding COVID-19 by conducting phishing attacks and disinformation campaigns,” CISA warned. “Phishing attacks often use a combination of email and bogus websites to trick victims into revealing sensitive information.”

“Disinformation campaigns can spread discord, manipulate the public conversation, influence policy development, or disrupt markets,” they added. “CISA encourages individuals to guard against COVID-19-related phishing attacks and disinformation campaigns.”

Next Steps

Dig Deeper on Cybersecurity strategies