Phishing scams on the rise amid panic over Covid-19

Lurking behind all this treasure trove of online information is a sinister bunch of malicious webpages, email attachments and links waiting to trap gullible users, infiltrate their devices and steal personal and financial information.

According to cybersecurity firm Check Point Software Technologies, cyber-criminals are exploiting interest in the outbreak to carry out malicious activity using several spam campaigns revolving around the outbreak.

Emails sent in the name of a Japanese disability welfare service provider to several users in Japan were found to be carrying a malicious email attachment hiding the notorious Emotet malware. Another malware named LokiBot was widely distributed through phishing emails on Covid-19 among users in Indonesia.

Lokibot malware is used to steal data such as email credentials and passwords to crypto coin wallets and FTP servers. In Italy, cybersecurity firm Sophos found emails with Word documents on how to avoid Covid-19 infection. While they looked harmless to a user, the Word files were carrying visual basic for applications (VBA ) script which carries a dropper to launch the TrickBot malware.

“Cybercriminals miss no opportunity to use the panic. In the case of Coronavirus, as the virus started spreading in the physical world, hackers started using email attachments and files in the form of .pdf, .docx, .mp4, disguised under the name of Coronavirus to target users’ mobiles, tablets and computer devices," said Dipesh Kaura, general manager, Kaspersky (South Asia).

Researchers at Kaspersky came across several emails which looked like they had come from the Centers for Disease Control and Prevention (CDC), a US health organisation. These emails come from a convincing-sounding domain such as cdc-gov.org in case of emails sent in the name of CDC. The actual domain is cdc.gov.

Also, in many cases, attackers used legitimate names and contact details in the emails to seem convincing enough in case a user decides to verify the name on the actual website. Kaspersky also came across e-mails sent in the name of CDC urging recipients to donate Bitcoins to fund Coronavirus vaccine research. CDC doesn’t take donations in Bitcoins.

According to cybersecurity firm Proofpoint, many emails were even sent in the name of WHO with logo on top. A user not paying careful attention isn’t likely to notice the difference.

In some cases, malicious links would point users to what looks like a legitimate CDC website cdc.gov for further information. The only caveat was that users were asked to log-in with their Outlook email and password.

Kaura points out that clearly the website has nothing to do with Outlook. It’s just a page crooks built to steal e-mail credentials. It won’t log you in anywhere, but it will forward your login and password to criminals, who will later use them to access your e-mail account and look for anything worth stealing in there.

Since January 2020, Check Point has found over 4,000 Covid-19-related domains registered globally—13% of them were found to be malicious while an additional 5% look suspicious and are being investigated. The malicious rate of the virus-related domains is 50% higher than the overall rate of all domains registered. Kaspersky Labs has detected 2,673 Covid-19-related malicious files targeting 403 of its users.

“When a user’s computer or mobile device becomes infected by these malware, they stand a chance to lose confidential information or money since malware gives attackers access to both," warns Smit Kotadiya, Cybersecurity Evangelist, Check Point Software Technologies. The fact that some of the cyberscams around the epidemic are using some of the most advanced malwares like Emotet is alarming in itself. Emotet is a self-propagating modular malware that is also used a dropper to distribute other malware and ransomware which will take admin control over the target’s system to steal critical information, run cryptojacking scams, or will lock it down for ransom.

Emotet is hard to detect as it uses evasive techniques to avoid detection, like dynamic link libraries (DLL), which is a group of small programmes clubbed into modules linked to the programme, instead of being compiled with the main programme.

To prevent misuse of its platform for any similar cyberscams, Google has disabled all searches related to Coronavirus and Covid-19 in the Play Store. Also, any apps using these two terms in their names have been taken down. Users, on their part, also need to be more vigilant in clicking on any links or attachments related to Covid-19. Kotadiya cautions people to be wary of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.