667% spike in email phishing attacks due to coronavirus fears

As much of the world grapples with the new coronavirus, COVID-19, and how to handle it, attackers are preying on people's emotions and taking advantage of the widespread discussion of COVID-19 in emails and across the web.

There has been a steady increase in the number of coronavirus COVID-19-related email attacks since January, according to security firm Barracuda Networks, but researchers have observed a recent spike in this type of attack, up a whopping 667% since the end of February.Between March 1 and March 23, researchers detected 467,825 spear phishing email attacks, and 9,116 of those detections were related to COVID-19, representing about 2% of attacks, the company said. In comparison, a total of 1,188 coronavirus-related email attacks were detected in February, while just 137 were detected in January."Although the overall number of these attacks is still low compared to other threats, the threat is growing quickly," the company said in a statement.SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)

Coronavirus-related phishing

A variety of phishing campaigns are taking advantage of the heightened focus on COVID-19 to distribute malware, steal credentials, and scam users out of money, the company said."The attacks use common phishing tactics that are seen regularly; however, a growing number of campaigns are using the coronavirus as a lure to try to trick distracted users to capitalize on the fear and uncertainty of their intended victims," the company said. The FBI recently issued an alert about these types of attacks.

Three types of attacks

Barracuda researchers have seen three main types of phishing attacks using coronavirus COVID-19 themes: scamming, brand impersonation, and business email compromise, the company said. Of the coronavirus-related attacks detected through March 23, 54% were scams, 34% were brand impersonation attacks, 11% were blackmail, and 1% were business email compromise (BEC)."Phishing attacks using COVID-19 as a hook are quickly getting more sophisticated," Barracuda noted. "In the past few days, Barracuda researchers have seen a significant number of blackmail attacks popping up and a few instances of conversation hijacking."In comparison, until a few days ago, researchers were primarily seeing mostly scamming attacks. As of March 17, the breakdown coronavirus phishing attacks detected, 77% were scams, 22% were brand impersonation, and 1% was a BEC."We expect to see this trend toward more sophisticated attacks continue," the company said.Goals of the attacks ranged from distributing malware to stealing credentials, and financial gain. One new type of ransomware Barracuda systems detected has even taken on the COVID-19 namesake and dubbed itself CoronaVirus, the company said."Skilled attackers are good at leveraging emotions to elicit response to their phishing attempts, such as the ongoing sextortion campaigns, which rely on embarrassment and fear to scam people out of money," Barracuda said. "With the fear, uncertainty, and even sympathy stemming from the coronavirus COVID-19 situation, attackers have found some key emotions to leverage."For example, one blackmail attack claimed to have access to personal information about the victim, know their whereabouts, and threatened to infect the victim and their family with coronavirus unless a ransom was paid, the company said. Its Sentinel platform detected this particular attack 1,008 times over two days.

Scams

Many of the scams Barracuda Sentinel detected were looking to sell coronavirus cures or face masks or asking for investments in fake companies that claimed to be developing vaccines.Scams in the form of donation requests for fake charities are another popular phishing method Barracuda said its researchers have seen taking advantage of coronavirus.For example, one scam caught by the Barracuda systems claims to be from the World Health Community (which doesn't exist but may be trying to take advantage of similarity to the World Health Organization) and asks for donations to a Bitcoin wallet provided in the email.

Malware

A variety of common malware are being distributed through coronavirus-related phishing, especially modular variants that allow attackers to deploy different payload modules through the same malware. The first malware reported utilizing coronavirus was Emotet, a popular banking Trojan, which went modular last year. IBM X-Force discovered Emotet being distributed in Japanese emails claiming to be from a disability welfare provider.LokiBot is another modular malware that often aims to steal login credentials and data and has been distributed in at least two different coronavirus-related phishing campaigns that Comodo has tracked, according to Barracuda. One campaign used the premise of attached invoices, which contained LokiBot, but added an apology for the delay in sending the invoice due to coronavirus. The other campaign claimed to be a news update and "1 thing you must do" and contained a link to the malware. Barracuda systems have seen multiple examples of emails using the invoice premise, which was detected more than 3,700 times, the company said.

Credential theft

COVID-19 is also being used as a lure for phishing attacks with links to spoofed login pages. One such variant that Barracuda systems detected claims to be from the CDC and attempts to steal Microsoft Exchange credentials when the malicious link is clicked. An example of the email and the phishing page are shown here (Figure A).

Figure A

A wide variety of email login pages are commonly spoofed by attackers, targeting the email portal users are accustomed to when this mail server information can be scraped by attackers. Other login pages are more generic or offer multiple options for providers, spoofing each provider login page, Barracuda said.

"Attackers are simply changing to the existing credential phishing email premise to capitalize on coronavirus," the company said.

How to Protect Yourself

While phishing emails leveraging coronavirus are new, the same precautions for email security still apply. Barracuda advises the following:

Also see