Bleeping Computer recently published an article titled “World Health Organisation Warns of Coronavirus Phishing Attacks”. More details below:
The World Health Organisation (WHO) warns of ongoing Coronavirus-themed phishing attacks that impersonate the organisation with the end goal of stealing information and delivering malware. “Criminals are disguising themselves as WHO to steal money or sensitive information,” the United Nations agency says in the Coronavirus scam alert. “WHO is aware of suspicious email messages attempting to take advantage of the 2019 novel coronavirus emergency.” The phishing messages are camouflaged to appear as being sent by WHO officials and ask the targets to share sensitive info like usernames and passwords, redirect them to a phishing landing page via malicious links embedded in the emails, or ask them to open malicious attachments containing malware payloads.
Most organizations these days implement thorough cyber education programs, especially around phishing, though as employee awareness rises, so does the level of expertise and sophistication of the emails by hackers. During 2019, 67% of internal phishing campaigns run by our customers fooled employees and resulted in divulging sensitive data. Cyber criminals are being extremely cunning in their approach to latch onto a global health emergency with malspam and we can expect to see more of this type of activity, particularly around the US elections and the Tokyo Olympics.
Hackers and cybercriminals have been quick to take advantage of the coronavirus outbreak. This happens any time there is a public health crisis or catastrophe in which people are desperate to find more information and contribute to those affected. The fake WHO emails follow a standard formula for phishing: criminals impersonate an authority figure who uses fear and a sense of urgency to trick victims into clicking on links or attachments. Attachments often contain malware, and links lead to phishing sites that look identical to genuine sites.
Basic security precautions should prevent you from falling victim to phishing. Never click on links or attachments in unsolicited emails. Cross check the domain of sender\’s email address and any links in the email against the official website domain found through Google.
Phishing attacks are cheap, easy, and difficult to trace. So even though most people won\’t fall for the scam, criminals only need to trick a few victims for the attack to be profitable.
This is an example of cybercriminals using an emotional trigger to get people to let their guard down. The constant media stories about the coronavirus and the associated fear due to uncertainty are the lures the use to get people to follow links in the emails, or open infected documents without taking the usual precautions. The World Health Organization would never require an email verification or a login to view public information related to an outbreak such as the coronavirus, however if the email gets people worried enough about the virus, they may not apply critical thinking and enter the information without a second thought.
Social engineering has long been a trick of criminals and this is especially true with cybercriminals. People should always hover the link in emails and check the email address of the sender, being careful to look for substituted numbers and letters. For example, the WHO website is \”www.who.int\” and their email address end in \”@who.int\”. Attackers may try to trick people by replacing the letter \”o\” with the number \’0\’, resulting in a link to http://www.wh0.int or a similar email address.
People can also expect to see scammers sending emails asking for donations to help victims and other related ploys related to the outbreak. These are extremely common around any large newsworthy event.
This is among the most common hacking tactics- using a newsworthy event along with a “stressor event” to get people to drop their normal suspicions and fall for a fraud. Schemes like this are a big part of the reason why social engineering is responsible for 70% to 90% of a malicious data breaches. Every organization needs to ensure that their employees are aware of hackers using news events to push hacking schemes and use up-to-date security awareness training and simulated phishing campaigns to test their employees ability to fall for these types of phishes. You don’t want the first time your employee is tested to be from a real phish. Instead, using training and phish testing to educate your staff to make them far less likely to fall victim to a news scam.
Whenever there is a global incident or major news story, we see criminals jumping on the trend to try and push their wares. The Coronavirus is no exception, and we\’ve seen several variations of phishing emails under the guise of warnings, to charitable donations, to flight and travel updates.
Many of these phishing emails don\’t contain any malicious attachments which can be scanned, so they have a high success rate in reaching the users desktop. Therefore, it\’s vital that users receive security awareness and training to ensure they can identify suspected phishing emails and report them to IT for further investigation.