As COVID-19 continues to spread, we are seeing an increase in threat actors impersonating public health organizations and luring victims in with fake links to government agencies. The four examples below impersonate the Center for Disease Control and Prevention (CDC) and the World Health Organization (WHO) using lures we have recently observed.
We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic.
Webmail Credential Theft Lures
In the first example, the sender uses SendGrid to distribute his fake nationalhealthcenter email address. The link in the message claims to provide an updated list of new cases, but it actually leads the victim to a webmail phish with the intent to steal login credentials.
IP Address: 220.127.116.11
In the second example, the threat actor(s) registered a fake domain for the lure and hosted the phish on it as well http://url4510.cdchealth.org/.
Similar to the above, SendGrid is used, with the actual address originating from an Amazon AWS server.
IP Address: 18.104.22.168
Coronavirus Payment Lures
The third lure promises payment to the victim as part of the compensation for the coronavirus. The sender’s address is compromised, which is why the cybercriminal instructs the victim to reply to a firstname.lastname@example.org in order to receive compensation. One of the huge red flags in this message is the implication that in order to receive your payment, the victim must first pay $220.
The last lure uses a WHO spoofed email address in a donation scam. In it, the cybercriminal is asking for cryptocurrency transfer via Bitcoin wallet. If executed, there is little chance the transaction can be reversed.
As long as the pandemic exists, cybercriminals can take advantage of changing statistics and new data that could be useful to the public. The FBI has weighed in frequently on the rise in coronavirus-related fraud and phishing emails, reminding everyone to be wary of emails purportedly from public or government officials that claim to track or provide information on the virus.
For more intelligence on COVID-19 threats, go here.