According to reports, phishing scammers have started to impersonate President Trump and Vice President Mike Pence in emails that distribute malware or perform extortion scams. In phishing emails discovered by email security firm Inky, threat actors try to impersonate the White House who is sending out Coronavirus guidelines on behalf of President Trump.
These emails state they are the latest “Coronavirus Guidelines for America” and prompt the recipient to click on a link to download a document. When the user clicks on the link they will be brought to a web page that impersonates the White house and contains a link to “Download and read the full document”. This link, though, would download a malicious Word document that prompts the user to ‘Enable Editing’ and ‘Enable Content’ to view it. Once a user enables content, malicious macros will launch that install malware onto the recipient’s computer.
Mushrooming phishing attacks are now fairly trivial to launch as they do not require any in-depth technical knowledge, even for large-scale campaigns. One can easily find (re)sellers of spam botnets and related cybercrime-as-a-service offerings that rapidly deliver fake news, malware or other sophisticated data-theft campaigns, which could end up paying several hundreds of dollars. Exacerbated by working from home, and thus less protected users, phishing is now a formidable arm in the hands of unscrupulous cybercriminals profiteering from the virus and highly susceptible victims.
Given the rapidly ballooning uncertainty about the epidemic, even experienced and trained users fall victims to aptly falsified guises of fresh information. The simplicity of phishing attacks, combined with their growing efficiency, make them both popular and successful amid the spiralling COVID-19 crisis.
Organizations should ensure clear communications with their employees and stakeholders, including customers and partners. Consistent and visible responses to the coronavirus, combined with scheduled or at least predictable next actions, is key to overcoming informational hunger and negating human temptation to greedily grasp information from any source without even questioning its authenticity in the informational vacuum.
Any crisis attracts scoundrels who will not hesitate to kick you when you’re down. Recent phishing emails impersonating the White House are a case in point. Capitalizing on widespread anxiety and uncertainty, scammers are luring victims into installing malware on their own computers. For users, the best defense is robust skepticism. Resist the urge to click on links in emails unless you are certain of the identity of the sender and the content of the message. Take a breath and think before you act. Verify information independently if at all possible. For example, in this case you could perform your own Internet search to discover that the White House is not emailing guidelines to individuals.
Attackers are shameless in the tricks they\’ll use during a time like this. The White House instructions attack relies on the fact that there is published guidance from the White House and the fact that this entire situation has been quickly evolving. People do not want to miss out on the latest guidance. Just like in other social engineering attacks, this one relies on emotions and the fear, uncertainty and doubt that people are experiencing to be effective.
In the case of the emails purportedly sent from Mike Pence to business owners, this is also an attack on emotions, as many business owners are currently under stress either because their sales are down, or in some cases because they are more busy than they ever have been depending on the industry. Businesses are currently facing challenges they\’ve never faced before including restaurants switching to curbside only service, many places having to close or at the very least, send their workers home to work. A letter such as this can add immeasurable stress during an already stressful time.
While in both of these cases, there are glaring grammar and spelling errors, when placed under stress, people may not notice these. This is why it\’s so important whenever an email, text message, or even phone call causes an emotional response, to step back for a moment, take a breath and look very critically at the situation. Attackers use our emotions to bypass critical thinking.
People need to be cautious any time they receive an unsolicited email, check the reply to address to make sure it\’s legitimately coming from who it says it is and be extremely cautious when opening any attached documents or other files when you aren\’t expecting them. If you do open an attachment, do not enable editing, content or macros.
Because these attacks are becoming so prevalent right now, it has never been more important for individuals or employees to be trained on how to spot phishing emails or malicious text messages.
Scammers take advantage of any news worthy opportunity they can to hook new victims. We’ve been seeing a mass “re-branding” of phishing and malware campaigns to COVID-19. The attacks and malware are the same but the email lures are coopting messaging around the pandemic by impersonating well known authorities such as the White House, CDC, and WHO. Now more than ever consumers should utilize “trusted paths” such as going to those organizations’ websites directly rather than clicking a link or opening an attachment in an email to access important information about the pandemic.
Since the outbreak of COVID-19 we are seeing countless examples of hackers preying on unsuspecting victims. Is there no longer honour amongst thieves? Their behaviour in this time of crisis is despicable and disgusting. Shame on them!
In general, for any business that relies on the digital world, wholly or in part, new security threats are surfacing. From reuse of attacks we’ve seen for years, to entirely new exploits and scams that take advantage of our desire to get news, to buy basic supplies or to take steps to avoid infection or have a speedy recovery. Traditional security measures, learned behaviours and controls that have been used to protect the normal course of business for years are not in place and can’t protect a nearly full or a fully remote staff without adaptation and without having the right mindset and approach every day.
Today, humans are the weakest links in the security ecosystem. While many companies have improved their security hygiene due to security awareness training the vast majority of successful attacks are the result of a blunder caused when an employee becomes an unsuspecting victim by opening email attachments laced with malware or ransomware, the visiting dubious websites and downloading of malicious software.