Situation
PhishLabs has seen an increase in threat actors impersonating key public health organizations and agencies to phish victims for-profit and malware exploitation.
Problem
PhishLabs has seen four separate phishing campaigns using the World Health Organization (WHO) and the Center for Disease Control (CDC) name. In the first campaign, the sender uses SendGrid to distribute a fake national health center email address. The link in the message claims to provide an updated list of new COVID-19 cases, but it actually leads the victim to a webmail phishing site to steal login credentials.
In the second campaign seen, the threat actor(s) registered a fake domain for the lure and hosted the phish on it as well. Similar to the first campaign, SendGrid is used, with the email originating from an Amazon AWS server.
The third campaign promises payment to the victim as part of the compensation for the coronavirus. However, the implication that in order to receive their payment, the victim must first pay $220.
The last campaign uses a WHO spoofed email address in a donation scam. In it, the threat actor(s) are asking for cryptocurrency transfer via Bitcoin wallet. If executed, there is little chance the transaction can be reversed.
Implication
If a user is tricked by one of these COVID-19 phishing emails. I could allow a threat actor(s) to potentially harvest login credentials, install or spread malware, or result in some financial loss.
Need
Some recommendations to defend against phishing campaigns are:
- Only open emails from trusted users after verification of sent email.
- Ensure anti-virus software and associated files are up to date.
- Keep applications and operating systems running at the current released patch level.
Additional information
IBM X-Force advisory:
https://exchange.xforce.ibmcloud.com/collection/ecc0b795d616eaa888f5e673a07e3baf
PhishLabs Blog:
https://info.phishlabs.com/blog/covid-19-phishing-update-threat-actors-target-cdc-who
