Client Alert

Don’t Feed the Fish: COVID-19 Phishing Scams and Malware Attacks

April 24, 2020

Aaron Charfoos, Claire M. Blakey & John E. Binkley

Congratulations! Your entire workforce is now remote and your cyber training has effectively taught them that the prince in exile is not really going to share his millions in offshore cash if they just let him park the money in their personal bank account. But what about an email from IT stating that the company has changed its remote work settings and requesting action, a newsletter from the government detailing new Paycheck Protection Program loan information, or the secure document they receive providing information about their work colleague who was just diagnosed with COVID-19 (and they get the colleague’s name right)?

Cyber criminals have moved quickly to take advantage of the fear and concern around COVID-19, along with increased reliance on social media to stay connected, to launch very sophisticated cyber-attacks. These range from generic “phishing” campaigns, perpetrated by sending an email—or, increasingly, a text message—that appears to originate from a trustworthy source, or “spear phishing,” where the hackers monitor social media and specifically tailor the attack to the victim.

We previously reported on the U.S. Department of Homeland Security (“DHS”) Cybersecurity and Infrastructure Agency (“CISA”) and the U.K.’s National Cyber Security Centre (“NCSC”) joint alert discussing COVID-19-related malicious cyber activity. With several more weeks of experience, we can now see how the threat landscape is evolving. In particular, organizations should be on the lookout for the following campaigns:

General COVID-19 Updates

People are desperate for any news about the virus and can easily be lured into clicking on links or attachments that look like new updates. Both CISA and the NCSC have observed a large volume of email phishing campaigns with subject lines such as:

  • 2020 Coronavirus Updates

  • Coronavirus Updates

  • 2019-nCov: New confirmed cases in your City

  • 2019-nCov: Coronavirus outbreak in your city (Emergency)

One phishing campaign delivers emails purportedly from the Director-General of the World Health Organization, Tedros Adhanom Ghebreyesus, which contain an attachment that supposedly provides information on drugs for the prevention and treatment of COVID-19. By opening this attachment, the email recipient downloads a type of malware that logs keystrokes and captures screenshots.

Another phishing attack prompts Android users to download an app containing a COVID-19 map that appears to provide tracking and statistical information about the virus. The application in fact constitutes a type of ransomware, nicknamed “CovidLock,” which prevents victims from accessing their devices until a ransom is paid.

Offers of Medical Supplies and Insurance

There have also been reports of phishing emails offering medical supplies like thermometers, face masks, and COVID-19 testing kits, as well as health insurance, which solicit financial information, or attach malware. The CISA-NCSC alert describes an example of a campaign in which the attackers attach images of the medical supplies offered for sale, where the attachment instead contains a loader for a type of keylogger malware called “Agent Tesla.”

U.S. Government Aid

The U.S. Secret Service has reported a rise in phishing campaigns related to federal COVID-19 financial support, which request that potential victims provide personal information in order to receive stimulus funds. Some of these campaigns involve the use of spoofed email addresses posing as U.S. Treasury officials.

The FCC has also reported a text scam claiming to be from the “FCC Financial Care Center” and offering $30,000 in COVID-19 relief, despite the fact that no such FCC program exists.

Other U.S. Government Communications

The Secret Service issued an alert warning corporations about fraudulent emails apparently sent by the U.S. Department for Health and Human Services (“HHS”) that request the recipient to provide personal protective equipment and thermometers, and refer to an attached product list. When the recipient opens the attachment, malware is downloaded onto the recipient’s device.

The Better Business Bureau has also warned the public of a text scam, in which the sender impersonates HHS and informs recipients that they must take a “mandatory online COVID-19 test” by clicking on the included link.

Other criminals have impersonated the U.S. Centers for Disease Control and Prevention in sending phishing messages, with at least one example using the spoofed sender alias CDC Health Alert and the subject line “CDC-INFO-Corona Virus [Viccine] found.”

Updates from Business Partners and Vendors

The Secret Service has also warned corporations about fraudulent emails posing as corporate responses to COVID-19, purportedly sent by a vendor or other member of a corporation’s supply chain, which contain malicious attachments. The alert also notes that the email attachments have frequently been a Microsoft Office or WordPad file.

Another example includes an email phishing campaign purportedly from Group Life and Health with the subject “Important Notice to Our Corporate Clients & Partners – COVID -19.” Attached to the spam email is a .rar file entitled, “COVID-19 Communication to corporate Clients.rar,” which contains Agent Tesla, malware commonly used by criminals attacking businesses.

Internal Corporate Communications

Among the cybersecurity implications of an entire organization working from home (as we discuss more generally here) are increased phishing attacks taking advantage of changes in corporate policy and the use of technology as a result of COVID-19. In particular, there has been a notable increase in fraudulent emails purportedly sent by an organization’s HR or IT departments, which provide revised company guidance and procedures, or direct an individual to perform a critical IT update.

Exposure to COVID-19

Finally, the Secret Service has alerted the public to a particularly egregious example of phishing emails that appear to come from a hospital and inform the recipient that they may have had contact with an individual infected with COVID-19. According to the Secret Service, these emails direct the recipient to download an attached Excel file, complete a form, and bring it to the nearest emergency clinic to be tested. Of course, clicking on the attachment in fact downloads malware to the recipient’s device.

Protecting Yourself Against COVID-19 Phishing Attempts

Advice for recognizing and protecting yourself against phishing attempts remains the same, whether or not the attempt is COVID-related:

  • Avoid opening attachments or clicking on links in messages from email addresses or phone numbers that you do not recognize.

  • Check the email address of a sender by hovering your mouse over the “from” address (though note that criminals can forge the “from” address on email messages to make them appear to be from a legitimate email address, otherwise known as “spoofing”).

  • If you receive a suspicious email from someone you know, contact that person with a new message instead of replying to the email.

  • If you receive a suspicious email or message from a government source or a charity, go directly to the government or charity’s website to independently confirm the information contained in the email or message.

  • Check the URLs of links sent by email before you click (including for spelling mistakes).

  • Watch out for URL redirects (where the URL displayed when you hover over the link is different from the text).

  • Do not install applications from untrusted sources (for Android users, this means sticking to the Google Play store).

  • More generally, always take time to consider whether a request for personal information or for payment (particularly payment by cash, gift card, wire, or cryptocurrency) is appropriate, especially if a message pressures you to act quickly!

Legitimate companies and organizations do not normally request sensitive information, or the verification of an account, by email or text message, and do not send unsolicited emails that contain attachments. In addition, the U.S. government has stated that information about stimulus relief will never be sent by text or any other messaging platforms, and the IRS has advised that it will never request personal information by email, text, or social media.

Finally, make sure that your employees know that the best thing to do if they do click on a suspicious link or attachment is to alert information security immediately. Keeping that information secret only makes the problem worse.

If there does appear to be a breach, companies should contact experienced data breach counsel and a forensic investigation firm to minimize any potential litigation and enforcement risks. Counsel can:

  • Conduct a privileged review to determine the extent of the attack;

  • Identify, contain, and mitigate the attack;

  • Advise on responses to media inquiries; and

  • Coordinate notifications to affected individuals and regulators.

The Paul Hastings Privacy and Cybersecurity practice has significant experience providing counsel on responding to suspected security breaches and personal data disclosures, guiding clients through investigations by federal authorities of potential privacy-related problems, and advising on establishing privacy and information security compliance programs. If you have any questions concerning these developing issues, please do not hesitate to contact members of this team.

Click here for a PDF of the full text

Get In Touch With Us

Contact Us