Update 3-26-20: A new prevalent example of Android Spyware that leverages COVID-19 as a way to deliver their malicious product has been reported by researchers at Lookout. This particular malware, called "corona live 1.1.", comes out of Libya and seems to mostly be targeting Libyan citizens. Like other examples listed below, it uses the same COVID-19 dashboard developed by Johns Hopkins University.

For malicious people, preying on collective fear and misinformation is nothing new. Mentioning national headlines can lend a veneer of credibility to scams. We've seen this tactic time and again, so it's no surprise that COVID-19 themed social media and email campaigns have been popping up online. This blogpost provides an overview to help you fight against phishing attacks and malware, examples of phishing messages we’ve seen in the wild related to coronavirus and COVID-19, and specific scenarios to look out for (such as if you work in a hospital, are examining maps of the spread of the virus, or are using your phone to stay informed).

Avoiding phishing attacks

The COVID-19 themed scam messages are examples of "phishing," or when an attacker sends a message, email, or link that looks innocent, but is actually malicious and designed to prey on fears about the virus. Phishing often involves impersonating someone you know or impersonating a platform that you trust. Your day-to-day diligence is the best preventative measure. Consider these points before you click: Is it an enticing offer? Is there a sense of urgency? Have you interacted with the sender before over this platform?

If an email sounds too good to be true (“New COVID-19 prevention and treatment information! Attachment contains instructions from the U.S. Department of Health on how to get the vaccine for FREE”), it probably is. And if an email demands urgent action from you (“URGENT: COVID-19 ventilators and patient test delivery blocked. Please accept order here to continue with shipment.”), take a moment to slow down and make sure it’s legitimate. Keep in mind that legitimate sources of health information likely won’t use unsolicited email or text messages to make announcements. Some examples of phishing emails — ones that we’ve received and you might similarly encounter — are included at the bottom of this post.

 it seems like an email from Gates Foundation. Upon looking closer, the email is actually from Gates Fonudation.

In the above email, note that the domain sending this “Gates Foundation” email includes a subtle typo. Phishing emails such as this one expect readers to only see the display name, without the email address beside it. Be vigilant to see the email address that the message is originating from. 



Some common-sense measures to take include:
  • Check the sender's email address. Are they who they claim to be? Check that their contact name matches the actual email address they’re sending from.
  • Try not to click or tap! If it’s a link and you’re on a computer, take advantage of your mouse’s hover to closely inspect the domain address before clicking on them.
  • Try not to download files from unfamiliar people. Avoid opening attachments from any external email addresses or phone numbers.
  • Get someone else’s opinion. Ask a coworker: Were we expecting an email from this sender? Or ask a friend: Does this email look strange to you? A good practice is to use a different medium to verify (for example, if you receive a strange email claiming to be your friend, try calling your friend over the phone to double-check that it’s from them).

For more tips—such as important preventative measures to these attacks, like backing up your data and updating your software—check out our Security Education Companion printable handout on malware and phishing, which is included at the end of this article.

Specific Scenarios to Watch For

Sometimes, malicious actors use phishing messages to get you to log into a service. They might provide a website that looks like a social media service you use, a service you use for work, or a critical website you use for payments and banking. However, sometimes, phishing messages are used to get you to download malware, or malicious software. We’ve included some more specific scenarios where we’ve seen COVID-19 themed phishing attacks and malware below.

Hospitals and Healthcare Workers at Risk

Hospitals in New York are notifying their staff about incoming cyber attacks, and have cited a few different common attack types that have already appeared, including: 

  • a phishing email from a sender purporting to represent a well-known organization like the World Health Organization (WHO) 
  •  a phishing email claiming to be from the Centers for Disease Control and Prevention (CDC), providing vital information about how to prevent and treat COVID-19. 

Some emails will carry attachments such as PDFs or Word document files that promise to carry that vital information, but actually have embedded malicious code that will infect your computer.

Another type of phishing campaign targeting hospitals comes from senders pretending to be medical suppliers. In the emails, they claim that their deliveries have been stalled or interrupted and require some action on behalf of the hospital staff to complete. The message body will provide a link that will take the recipient to a site that will then execute malicious code. When malicious code is installed on a computer, this could be used to steal important data or corrupt the disk. Two types of malware that are being especially used are trojans and ransomware:

    • Trojans: When downloaded, Trojan software may perform like the intended legitimate application, but is in fact doing malicious things in the background.  An example in these COVID-19 emails is the use of the AzorUlt Trojan.
    • Ransomware: When downloaded, this malicious software holds a company, organization, or individual's data for ransom.

AzorUlt Trojan

Malwarebytes Labs reported finding variations of an AzorUlt trojan malware embedded in some of these attachments. The AzorUlt trojan is a flexible type of malware that commonly collects important data like browser history, passwords, and session cookies from the infected computer, then sends that to a command and control server elsewhere online. From there it could download and execute more malicious code, such as ransomware. This particular type of trojan is good at staying hidden, as its core function is to collect vital data from non-persistent memory on the infected machine, then quietly deliver that to its command and control server.

Krebs On Security recently documented that some phishing campaigns use a live interactive map of COVID-19 to distribute different variations of the same AzorUlt trojan. The map and interactive dashboard were developed by Johns Hopkins University, so visually these emails could appear valid and trustworthy even to a cautious eye.

Mobile Phone Ransomware

Sometimes, attackers might get you to download an application that pretends to be helpful or to provide critical medical information, but actually installs malware. A researcher at DomainTools recently reported on a distribution of Android ransomware that has been posing as a coronavirus update application. Upon downloading the app, it will encrypt and lock the user’s phone, demanding Bitcoin in ransom. Unfortunately for the developers of this malicious app (and luckily for affected users), a researcher at ESET Research discovered that the decryption key was hardcoded: anyone affected could use the same code to retrieve control of their phone. They published said key on Twitter.

Responding with Vigilance

As the world’s anxiety regarding coronavirus continues to escalate, the likelihood that otherwise more cautious digital citizens will click on a suspicious link is much higher. Even more unfortunate is that hospitals and medical facilities are already likely to fall victim to ransomware attacks. With a burgeoning global pandemic, the consequences of these attacks will be even more dire. And with medical staff already overburdened and overworked with the demands brought on by COVID-19, they will be more likely to be susceptible.

Despite these phishing campaigns taking advantage of headlines, so far they’re not really anything new. That makes detecting them easier. With appropriate caution, you can avoid these phishing strategies. For more information on how malware is installed (and how to avoid it), check out this malware and phishing handout from SEC.

Examples of COVID-19 Phishing Emails

Example 1

Hello.

We have urgent information about the CORONAVIRUS(COVID-19). VBS

presentation in rar.

The attachment contains a document with safety and coronavirus

prevention instructions,

also instructions from the U.S. Department of Health on how to get the

vaccine for FREE.

Send this information to all your loved ones as soon as possible.

rar password : 1234567

=================================

U.S. Department of Health & Human Services

200 Independence Avenue, S.W.

Washington, D.C. 20201

Toll Free Call Center: 1-800-368-1019

TTD Number: 1-800-537-7697


Example 2

(In this example, notice how the links they provide start with https; and not https: This is a common tactic of putting two very similar looking characters by each other so that the user won’t notice the difference and will click on the link before realizing it’s not what it appears to be) 

The outbreak of Coronavirus is a rapidly developing situation and is likely to affect many travel plans over the coming months. We strongly recommend that anyone travelling or planning to travel takes guidance from the Foreign and Commonwealth office:

https;//eff.org/coronavirus-covid-19-information-for-the-staff

The WHO's designation of coronavirus as a pandemic yesterday has significant implications for the operation of insurance policy cover and these are clearly posing unprecedented challenges. 

The team have put together some advice for you based on current activities:

I am travelling to a country where there has been an outbreak?

If the WHO advise against travel to the area you are visiting then in the first instance you should contact your travel operator or medical practitioner to reschedule or ask for a protective tips. MOST REPORTED CASES SAVES LIFES.

 Kindly take a break and read the attached articles on our site and futher refrences on the issue for our staff

https;//www.google.com/tips/coronavirus-covid-19-information-for-the-public



Example 3

(In this example provided by Abnormal Security, the target’s name and the university the sender is pretending to be from have been removed. The link directs the target to a page asking them to login to their Outlook account. This seemingly harmless login page is actually stealing those credentials.)

Hi ______,

Kindly check the latest information about COVID-19 [Corona Virus]

https://www.[xxxxxx].edu/content/covid-19-coronavirus-information.pdf

The Trustees of [xxxxxx] University | Health Team