From petty product scams to phishing emails and malware to credential theft, cybercrooks are leaving no opportunity unturned.

Attackers are taking advantage of the widespread discussion of COVID-19 in emails and across the web.

Between March 1 and March 23,  467,825 spear phishing email attacks were detected, and 9,116 of those detections were related to COVID-19, representing about 2% of attacks. In comparison, a total of 1,188 coronavirus-related email attacks were detected in February, and just 137 were detected in January. Although the overall number of these attacks is still low compared to other threats, the threat is growing quickly.

Researchers from cybersecurity firm Barracuda had already seen a steady increase in the number of coronavirus COVID-19-related email attacks since January, but since the end of February they have observed a recent spike in this type of attack.

Three main attack vectors

Three main types of phishing attacks employ coronavirus COVID-19 themes—scamming, brand impersonation, and business email compromise. Of the coronavirus-related attacks detected by researchers through March 23, 54% were scams, 34% were brand impersonation attacks, 11% were blackmail, and 1% were business email compromise.

Phishing attacks using COVID-19 as a hook are quickly getting more sophisticated. In the past few days, researchers have seen a significant number of blackmail attacks popping up, and a few instances of conversation hijacking. In comparison, until just a few days ago they were primarily seeing mostly scamming attacks. Researchers expect to see this trend toward more sophisticated attacks to continue.

Goals of the attacks ranged from distributing malware to stealing credentials, and financial gain. One new type of ransomware detected has even taken on the COVID-19 namesake and dubbed itself CoronaVirus.

With the fear, uncertainty, and even sympathy stemming from the coronavirus COVID-19 situation, attackers have found some key emotions to leverage, such as the ongoing sextortion campaigns, which rely on embarrassment and fear to scam people out of money.

One blackmail attack claimed to have access to personal information about the victim, know their whereabouts, and threatened to infect the victim and their family with coronavirus unless a ransom was paid. This particular attack was detected 1,008 times over the span of two days.

Scams, malware and credential theft

Many of the scams detected were looking to sell coronavirus cures or face masks or asking for investments in fake companies that claimed to be developing vaccines. Scams in the form of donation requests for fake charities are another popular phishing method researchers have seen.

In terms of malware, these are being distributed through coronavirus-related phishing, especially modular variants that allow attackers to deploy different payload modules through the same malware.

The first malware reported utilizing coronavirus was Emotet, a rampant banking Trojan, which went modular last year. IBM had discovered Emotet being distributed in Japanese emails claiming to be from a disability welfare provider. The phishing emails contained a document which downloaded and installed Emotet when macros were enabled, a common practice for malware distribution these days.

LokiBot is another modular malware, that often aims to steal login credentials and data and has been distributed in at least two different coronavirus-related phishing campaigns. One campaign used the premise of attached invoices containing LokiBot, but added an apology for the delay in sending the invoice due to coronavirus. The other campaign claimed to be a news update and “1 thing you must do” (a play on the common “one weird trick” hook common in spam), which contained a link to the malware.

The Barracuda team have seen multiple examples of emails using the invoice premise more than 3,700 times. Other notable information stealers capitalizing on COVID-19 include AzorUlt, which is being distributed from a phishing site claiming to be a map of the outbreaks, and TrickBot, which is circulating among Italian phishing emails.

Then there is credential theft. In addition to widespread credential harvesting from information-stealing malware, phishing attacks with links to spoofed login pages are also using coronavirus COVID-19 as a lure. One such variant that Barracuda researchers detected claims to be from the Centers for Disease Control and Prevention (CDC), and attempts to steal Microsoft Exchange credentials when the malicious link is clicked.

A wide variety of email login pages are commonly spoofed by attackers, targeting the email portal users are accustomed to when this mail server information can be scraped by attackers. Other login pages are more generic or offer multiple options for provider, spoofing each provider login page. Attackers are simply changing to the existing credential phishing email premise to capitalize on coronavirus.

Observe basic precautions

While phishing emails leveraging coronavirus are new, the same precautions for email security still apply.

  • Be wary of any emails attempting to get users to open attachments or click links.
  • Watch out for any communications claiming to be from sources that you normally would not receive emails from. For example, the CDC is not going to be sending out emails to anyone who doesn’t regularly receive emails from them already.
  • Use caution with emails from organizations you regularly communicate with. This is especially true for those in the healthcare industry since it is being targeted by cyberattacks trying to capitalize on the pressure resulting from handling an influx coronavirus cases.
  • Find credible charities and donate directly. Do not respond to email requests for donations. Any legitimate charities taking donations through Bitcoin wallets should be a red flag.