Coronavirus Scams: Phishing Websites & Emails Target Unsuspecting Users

As COVID-19 fears grow, hundreds of Coronavirus-themed domains are being
used to spread malware and steal information

Amongst growing fears of this global pandemic, Coronavirus scams and malicious websites are on the rise. The latest news from the Health Sector Cybersecurity Coordination Center (HC3), a new malicious website is circulating on the internet that targets unsuspecting users.

True to their selfish nature, cybercriminals are taking
advantage of public panic about the global Coronavirus pandemic for their own
selfish goals. Now, of course, this concept is nothing new. Cybercriminals are
always looking for the next best thing to take advantage of. But that doesn’t
mean that it isn’t a serious issue that you can simply ignore.

So, what is this new phishing website and why should you be
concerned about it? And what are some of the other Coronavirus scam tactics
that cybercriminals are using to take advantage of the global pandemic?

Let’s hash it out.

Cybercriminals Create Coronavirus Tracker Map to Spread Info-Stealing

When something’s wrong, people frequently turn to the
internet to get the latest information. Cybercriminals know this and are
creating fraudulent websites that impersonate real, reputable authorities. Their
latest tactic? Live tracker websites.

In truly low-life fashion, some schmuck decided to create a phishing website, corona-virus-map[dot]com (and, no, please don’t type that into your browser), that appears to be a legitimate COVID-19 live tracking map for the virus. In this case, HC3 reports that the cybercriminals were impersonating John’s Hopkins University, a world-renowned health institution, to infect website visitors with the AZORult trojan. This program exfiltrates a wealth of sensitive data that can be sold on the dark web or used to commit cybercrimes, including cryptocurrency theft.

Here’s a screenshot from the official HC3 notification about
the phishing scam site:

Graphic: Screenshot of a Coronavirus phishing site

In general, Coronavirus themed cyber attacks and phishing websites are becoming a lot more common as news about the virus continuously blasts from virtually every media outlet. Check Point, a cybersecurity firm, recently reported on their blog that CNN alone hosts more than 1,200 articles.

According to the same blog post:

“Since January 2020, based on Check Point Threat Intelligence, there have been over 4,000 coronavirus-related domains registered globally. Out of these websites, 3% were found to be malicious and an additional 5% are suspicious. Coronavirus- related domains are 50% more likely to be malicious than other domains registered at the same period, and also higher than recent seasonal themes such as Valentine’s day.”

In addition to users finding the website organically through
web searches, the website was circulated via a variety of other tactics,

  • malicious links and attachments in emails
  • social engineering, and
  • online advertising.

This newly discovered threat follows on the heels of other
cyber scams, including other Coronavirus-themed malware and phishing emails.

Coronavirus-Themed Phishing Emails Are on the Rise

Another way that cybercriminals are taking advantage of a bad situation is by launching Coronavirus-themed email phishing campaigns. In a February notification, the HC3 reported that carefully crafted phishing emails are sent to entice users to open attachments or to click on links that contain malware that’s frequently used to target healthcare organizations and their IT systems.

According to the HC3:

“Victims who interact with malicious links or attachments may expose their systems, networks, and valuable information. These exposures allow an attacker to use infected systems as a platform to launch additional attacks.”

In these campaigns, cybercriminals impersonate a variety of organizations, including the U.S. Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO), and a Japanese disability welfare service provider. But Coronavirus scams don’t stop where the digital world ends — criminals are impersonating federal authorities in face-to-face scams as well.

According to Check Point, one particularly widespread phishing campaign targeted more than 10% of all organizations in Italy! The email contained an Ostap Trojan-Downloader disguised as a Microsoft Word document. This downloader is commonly used as to install TrickBot, a banking trojan that’s steals sensitive information via man-in-the-middle (MitM) attacks, or spreads other types of malware across networks.

Here’s a screenshot from Check Point’s blog post:

The email translates to read the following in English:

“Due to the number of cases of coronavirus infection that have been documented in your area, the World Health Organization has prepared a document that includes all the necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message.

We strongly recommend that you read the document attached to this message.

With best regards,

Dr. Penelope Marchetti (World Health Organization – Italy)”

Although the email didn’t come from an official WHO email
address or domain, people who are ignorant of cybersecurity threats — or who
are caught in a moment of unawareness — could find themselves the victims of a
data breach.

Background on the Coronavirus and Why It Makes an Effective Scam Method

Obviously, we’re not global health experts, but here is some basic information about COVID-19:

The Coronavirus Disease 2019 (also known as COVID-19) is something that’s captured the world’s attention — and for good reason. reports that the virus has infected individuals in 125 countries and territories globally in additional to cruise ships. The Washington Post reports that there have been more than 100,000 cases of the disease reported since late 2019 when the outbreak started, and “several thousand people have died” (although the true number of Coronavirus cases is thought to be “fall above official tally.”)

As the Washington Post reports:

“Coronaviruses range from the common cold virus to more serious diseases that can infect humans and animals, including severe acute respiratory syndrome (SARS) and Middle East respiratory syndrome (MERS).”

But here’s the takeaway we want you to focus on: Even in the
grimmest of circumstances, when governments worldwide are trying to slow the
spread of the virus among their populations, cybercriminals aren’t taking a
break. In fact, they’re ramping up their efforts, using the global health
crisis as an opportunity to steal information from unsuspecting individuals who
are trying to stay informed.

To you, hackers, we have one thing to say: You suck.

To businesses and organizations, both in the U.S. and
abroad, we say the following: Stay informed and keep your employees informed as

How to Protect Your Organization from Fake Coronavirus Phishing Sites

For businesses and IT administrators, you know this means
that there’s a chance you or some of your organization’s users may find
themselves on one of these sites.  

What you can do to help prevent users from falling for these
phishing scams is:

Keep Employees Informed

Send out information via official channels to keep your
employees abreast of the latest Coronavirus news so they don’t go looking for
it themselves. Also keep them informed of any Coronavirus-themed threads such
as new websites and email scams to look out for.

Share Official Resources

Provide employees with links to valid, official Coronavirus
tracking sites and resources. Here’s a list of trustworthy and reputable
resources to help you get started:

Update Your Cyber Awareness Training

Educate users about the dangers of phishing emails and
websites via cybersecurity awareness training. Teach them how to recognize
suspicious emails and websites, and use best practices to avoid becoming

Email Security Best Practices - 2019 Edition

Don’t Get Breached

91% of cyber attacks start with an email, which can leave your business open to devastating data breaches. Not securing your email is like leaving the front door open for hackers.

Verify, Don’t (Blindly) Trust

Institute policies and processes that stipulate that before
any sensitive information can be shared, wire transfers can be made, or any
other actions can be taken, employees must first verify the request directly with
the source.

So, for example, if you receive an urgent email from CFO
John Smith saying that he’s in a meeting (or otherwise unavailable) and that
you need to perform a wire transfer immediately for a vendor, make it so that
your employees must:

  • carefully check the email header information
    (the “from” field), such as the email address and domain name, to verify that
    it matches the contact information for that individual.
  • never respond to the email sender directly.
  • get phone verification by calling via an
    official phone number (such as from your internal directory).
  • implement a code word or phrase that can be used
    to authenticate a user.

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: