3 ways hackers are using COVID-19 as a weapon

Hackers have initiated a wave of phishing attacks to try and capitalize on the fear and uncertainty related to the COVID-19 pandemic. As typically happens in times like these, the phishing threat has evolved and become more sophisticated as cybercriminals and nation states determine what’s working and make communications seem more authentic and believable.

Here are three specific ways that we are currently seeing threat actors attempt to weaponize the COVID-19 pandemic:

• Cybercriminals will use legitimate branding of a trusted organization such as the World Health Organization or Centers for Disease Control and Prevention to lure victims into clicking their phishes. Criminals buy domains that resemble such trusted organizations (i.e., cdc-gov.org, cdcgov.org, etc.) to perform phishing attacks. 
• A range of malware, including both ransomware and remote access Trojans (RATs), is being delivered by COVID-19 phishing emails targeting most industries—in particular, finance, health care, life sciences and manufacturing. 
• Phishing emails commonly contain a weaponized Microsoft Office document that when opened and executed installs malware or exploits a known vulnerability on the victim’s computer. 

In RSM’s upcoming 2020 Middle Market Business Index Cybersecurity Special Report, we find that 49% of middle market executives say that outside parties attempted to manipulate their employees by pretending to be trusted third parties or high-ranking executives, a 7% increase over last year. These are the same attacks that criminals are deploying in conjunction with the COVID-19 pandemic, and the threats are unrelenting and potentially very harmful.

Businesses can implement a few measures to protect themselves and reduce the risks of falling victim to evolving COVID-19 phishing scams:

• Monitor emails that come from the CDC or WHO and other domains that closely resemble those. Many times the URL that is displayed within the emails will be legitimate but when clicked, the victim is redirected to a malicious website. In addition, neither the CDC nor the WHO accept payment via bitcoin, so any request of this type should be considered malicious. 
• Be sure to read emails closely for clues and context. While many organizations will send legitimate emails on COVID-19, most will be informational in nature. The phishing emails that we are seeing mimic most other phishing emails, attempting to create a sense of urgency often with bad grammar and spelling.
• Disable macros as this appears to be a popular infection mechanism.

On any given day, new COVID-19-related web domains are registered. A recent article from Sophos, a British information technology company, states that 42,578 new domains with the terms “COVID” or “corona” have been registered since Feb. 8. This certainly does not mean that all have malicious intent, but the volume of new websites muddies the waters when trying to determine what is or isn’t a legitimate source of information. As of mid-April, Sophos had identified more than 60 domains that were linked to malicious activity. The following domains were specifically linked to malware downloads, according to Sophos:

• corona-masr21.com
• netflixcovid19s.com
• chasecovid19v.com
• chasecovid19t.com
• chasecovid19s.com
• corona-masr2.com
• chase7-covid.com
• masry-corona51.com
• corona-virusapps.com
• coronavirus-realtime.com
• covid-19-gov.claims
• corona-virus-map.net
• corona-map-data.com
• coronavirus-apps.com
• childcarecorona.com
• impots-covid19.com
• corona-apps.com
• coronaviruscovid19-information.com
• coronations.usa.cc

Until the COVID-19 pandemic subsides, phishing attacks will continue to be a persistent threat. However, by understanding the threat and common methods, and staying aware, companies can reduce the likelihood of becoming the victim of an attack.