Americans anxious over the spread of COVID-19 could be forgiven for falling for an email that purports to provide information on the pandemic from "The Federal Government, President Donald Trump," but is instead a phishing scheme originating from a Russian email account.
In a company blog post and research report, email security company INKY reported its discovery of the campaign, was designed to infect victims with an unspecified malware program.
Hackers have been busily turning out phishing campaigns impersonating the likes of the WHO and CDC ever since the coronavirus began its frightening spread.
“Mushrooming phishing attacks are now fairly trivial to launch as they do not require any in-depth technical knowledge, even for large-scale campaigns," said Ilia Kolochenko, founder and CEO at ImmuniWeb. "Exacerbated by working from home, and thus less protected users, phishing is now a formidable arm in the hands of unscrupulous cybercriminals profiteering from the virus and highly susceptible victims."
INKY'S report includes two phish examples, both of which are dated April 2 and contain messages incorrectly state a national "quarantine" will now be in place until August 2020. There is no strict federal quarantine – only federal guidelines and various degrees of stay-at-home and social distancing orders enacted by most, but not all, states – and none of these have been extended as far out as August.
Both emails also feature a link leading to a web page that appeared to be the White House's official COVID-19 guidelines site. However, the page, which has been taken down, was actually a convincing fake. "That’s because it’s an exact HTML and CSS replica of the exact content on the real White House Coronavirus informational site at the time these emails arrived," the blog post said. "This raises a point we often make at INKY: the attacker’s easiest path to creating convincing fakes is not to create any content at all, but simply to copy a real email or website."
The fake page included a button that, if clicked, would download the aforementioned malware.
"Now more than ever consumers should utilize 'trusted paths' such as going to... organizations' websites directly rather than clicking a link or opening an attachment in an email to access important information about the pandemic," said Chris Clements, vice president of solutions architecture at Cerberus Sentinel.
One of the two phishing emails, titled "The White House Instruction for coronavirus," is supposedly sent by a sender named Valentina Robinson. In addition to the phony quarantine details, the email falsely states that the national tax filing deadline has been postponed to Aug. 15. The correct date is July 15.
The second email, supposedly sent by a Rosie, says that the president has "announced more groundbreaking steps" to curb the spread of the virus.
Both emails feature grammatical errors that are telltale signs of a scam. the second email is particularly egregious, featuring such misspellings as "carantine" and "pamdemic."
"Nevertheless, it’s easy to imagine a few overloaded working-from-home employees falling for these," INKY notes.
Ashlee Benge, threat researcher at ZeroFOX, agrees. "Attackers take advantage of every opportunity to instill a sense of false urgency in would-be victims. Coronavirus and the resulting global panic provide the perfect vector for this kind of attack," said Benge. "Given the current level of financial uncertainty in America as unemployment numbers spike, recipients of these emails may download this document without pausing to notice how suspicious these emails actually are."
"The White House instructions attack relies on the fact that there is published guidance from the White House and the fact that this entire situation has been quickly evolving," said Erich Kron, security awareness advocate at KnowBe4. "People do not want to miss out on the latest guidance. Just like in other social engineering attacks, this one relies on emotions and the fear, uncertainty and doubt that people are experiencing to be effective."
Organizations can inoculate employees against COVID-19-related phishing campaigns by upping awareness and training, even as they work remotely. "The only way to protect consumers and employees is by training them, teaching them, guiding them – patching them against hackers,” said Lucy Security CEO Colin Bastable, stressing that "while 75 percent of the U.S. population is hiding under the bed, 100 percent of cybercriminals are taking every advantage."