Threat actors are repurposing Nigerian Prince or 419 lures with novel coronavirus messaging to capitalize on the current pandemic. Today’s examples demonstrate how they are doing it.
We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic.
In the above, the subject line and email body impersonate the Department of the Treasury. The sender’s address however, comes from a known banking phish. The lure is a classic advance-fee scam, with the infrastructure edited to increase the probability of a reply.
The second example is sent from a compromised email account belonging to a medical organization. It was likely because of this that the email was able to make it through the spam filter of the financial institution that received it.
The threat actor uses a burner gmail address firstname.lastname@example.org as the Reply To, further enhancing credibility by implying ties to the virus.
The pandemic has given 419 scams another opportunity to evolve. As we see an increasing number of familiar lures leveraging COVID-19, it is clear that most threat actors aren’t reinventing the wheel, they are simply following the latest trend.
For more intelligence on COVID-19 threats, see our ongoing coverage.