Malware Authors and Scammers Adapt to Current Events with Phishing and More
Cyber criminals are opportunists that continuously evolve their methods of attack. And, as history has shown us, the bigger the global visibility of a cyberattack opportunity – be it government elections, religious holidays or global events such as we find ourselves in today – bad actors employ every tool in their arsenal to make the most of every attack opportunity.
According to the World Health Organization, email attacks impersonating that organisation have increased two-fold since the beginning of March. And this is just one of many examples of current cyberattacks posing as a trusted global organization, as every nation in the world is trying to manage through these unprecedented times.
Taking optimal advantage of world events, we are seeing trends of cyber attackers leaning into social-engineering that utilizes popular keywords – such as Coronavirus and COVID-19 – to execute online scams, phishing and malware attacks.
Following is an overview of recent global cyberattack trends Forcepoint has been tracking to give you a view into what to look out for and how to protect yourself against impending cyberattacks that take advantage of today’s global climate.
Phishing related campaigns have one goal - tricking people into entering their personal details or valuable credentials into a fake application or on a “legitimate” looking web site. Our first subject under analysis is pretending to be a missed call about a COVID-19 update. The email contains no text in the message body, but rather an attachment with an .htm” extension.
Upon a closer look, the attachment is indeed a simplistic HTML file with the sole purpose of directing people to a suspicious looking URL.
The window title will display "Fetching your audio file" while the web page is loading, and soon we will find ourselves on a fake Outlook portal. The username will be already pre-filled, only the password is waiting to be entered. Despite all the similarities we aren't dealing with an official Outlook portal here, look at the strange URL in the HTML attachment with the prepared email address. It’s always recommended to double check the destination we land on before entering any sensitive data.
Different flavors of traditional spam
Trading on people's superstitions and fear is an old technique, especially in times when we are navigating through a serious global event with far reaching impact on communities all over the world. Official, semi-official and unofficial advice is coming from every possible direction - along with a number of hoaxes.
- How to strengthen our immune system?
- What steps to take to prevent infection?
- What are the natural ways to defend ourselves?
- Which are the best masks to wear when travelling?
Most of these are valid questions to raise, however answers can vary widely, and it is easy to heed fake advice. Some of the recent spam campaigns are particularly focused on this technique. They either contain links to shady web sites and services or encourage people to buy a specific product which is supposed to help protect against Coronavirus and COVID-19.
When in doubt, research similar goods from reputable websites and brands you have purchased from before. And, starting research through official global health sources such as WHO or CDC can also help with debunking what is real and what may actually be detrimental to your health.
New pitch for existing malware families
The examples above are from the lesser types of evil when it comes to the level of possible harm caused. Our final subject - despite arguably looking the most authentic, takes the damage potential up a notch. The email targeted those in Italy, purportedly during the time the country’s reported cases were continuing to increase. It encourages the opening of the attached document, which it presents to be sent from the World Health Organization (WHO) with information covering all the necessary precautions against Coronavirus infections.
Opening the attached Microsoft Word document will result in the following screen being displayed, asking users to follow the steps of enabling macros, unless the default security settings related to them were already modified.
There are several macros in the document and they are also protected by a password to prevent editing. Fortunately, that can be worked around, so let’s have a look at the famous autoopen.
There is “DebugClassHandler” defined in the autoopen macro which would be automatically executed upon opening the document. Investigating it deeper quickly reveals the dropping of two files: “errorfix.bat” and “Ranlsojf.jse”. The former is a standard batch file meant to open the latter with the help of Windows’s inbuilt script interpreter.
Under an extended period of stress such as a world-wide pandemic, anxiety and desperation can make it easy to let one’s guard down when it comes to online threats. Cybercriminals exploit these moments by playing on fears in the hope that we will fall for their carefully crafted scams. Whenever emails related to real-life events are received, we must remain vigilant and take the time to consider their authenticity. By practicing security vigilance on a daily basis, we can mitigate the impact cyber attackers can have during global events because we’ll already be looking for their exploits.
Attacker tools, techniques and procedures remain largely the same; only the theme of the lure has changed to align with current events. If kept up to date, your web and email security stack should remain effective against these adjustments in the threat landscape.
Forcepoint customers are protected against this threat at the following stages of attack:
Stage 2 (Lure) – Malicious emails associated with these attacks are identified and blocked.
Stage 6 (Call Home) – Attempts to contact command-and-control servers are blocked.