Email-based phishing schemes continue to trick victims with promises of coronavirus information, cures and vaccines, but now some fraudsters are also sending their targets lures related to the U.S. government-approved stimulus checks promised to most Americans.
The latest evidence of this is a new report, authored by Abnormal Security, which details a scheme to impersonate a major financial institution that supposedly is holding economic stimulus funds for its customers. The intention is to trick targets into providing their login credentials as a means to verify account ownership and receive the money.
But it's all a sham: The email includes a link to a malicious landing page. "The... URL takes victims to a site hosted at https://theruncoach.icu/home[.]php', which attackers likely control and will use to steal the login credentials for this financial institution from victims," the Abnormal report states.
The attack is an effective one, the report continues, because both the email and the web page pull off a convincing imitation of the bank. The email even contains a genuine link to the bank's privacy statement.
Although the landing page's URL is "clearly not a site owned or run by this bank," the URL is masked by a link "and the attackers likely expected that recipients would be too convinced by the landing page they created to double-check that the URL was valid," the report states.
"This attack leverages the economic uncertainty around COVID-19," Abnormal's report continues. "Many who have been furloughed, laid off or have had their hours reduced due to shelter-in-place orders around the nation will be anxiously awaiting the arrival of the stimulus check that was part of Congress’s $2 trillion dollar stimulus effort."
Last month, the FBI’s Internet Crime Complaint Center (IC3) issued a public service announcement warning citizens to watch out for unsolicited stimulus emails. These schemes are now in full swing.
Researchers at FireEye in March reported similar activity, noting that on March 18, employees at a broad array of corporations received phishing emails with the subject line “COVID-19 Payment.” This scam was designed to infect potential victims with SILENTNIGHT (aka Zloader) banking malware via password-protected Microsoft Word documents containing malicious macros.
The campaign was particularly prevalent in Canada, but nevertheless had a global reach. Some emails were even customized to reference a particular country's government officials and form of currency.
"Canadian Prime Minister Justin Trudeau approved an immediate check of $2,500 -/CAD for those who choose to stay at home during the Coronavirus crisis. Here is the form for the request. Please fill it out and submit it no later than 25/03/2020. Password is 1234," one sample phishing email stated.
Cisco's Talos research team last month also reported in a blog post that it had "already detected an increase in suspicious stimulus-based domains being registered and we anticipate they will be leveraged to launch malicious campaigns against users."