Phishing attacks exploit Coronavirus anxiety
In the past week, there have been many reports about criminal activity exploiting people’s fears of the coronavirus, aka Covid-19. The U.S. Secret Service, the World Health Organization (WHO) and the United Nations have all issued warnings to U.S. and global citizens, telling people to be on the lookout for suspicious activity exploiting the anxiety and confusion surrounding the pandemic.
Unfortunately, this criminal activity is all too real.
One of the most common tactics attackers have been employing is email phishing, where attackers send messages that appear to originate from a trusted organization such as WHO or the U.S. Centers for Disease Control (CDC).
In fact, Valimail has already observed senders using “lookalike domains” that seem aimed at imitating the CDC, such as cdc.agency, cdchq.com, cdchealth.org, cdcmgt.com, and cdcpress.org.
These senders’ messages were intercepted by Valimail Defend, which flags messages from untrusted domains like these and – depending on customer preference – can either label them as suspicious, quarantine them to a spam folder, or prevent them from reaching employees inboxes at all.
For many recipients, such email messages – if they reach the inbox – can look authoritative, especially if the contents of the messages are well-crafted. That sense of authority can in turn lead users to click on malicious links, divulge personal data to the attackers via linked phishing websites, or open attached documents that contain embedded malware.
The risk of Coronavirus-themed phishing
FireEye has detected Chinese hackers using “sending email attachments with genuine health information about coronavirus but laced with malware such as Sogu and Cobalt Strike,” according to a recent story on Technology Review.
In a related development, Proofpoint observed, “attackers have expanded the malware used in their Coronavirus attacks to include not just Emotet and the AZORult information stealer, but also the AgentTesla Keylogger and the NanoCore RAT — all of which can steal personal information, including financial information.”
As NortonLifeLock wrote in a recent post, malware sent by email “could allow cybercriminals to take control of your computer, log your keystrokes, or access your personal information and financial data, which could lead to identity theft.”
For its part, Fortinet notes that it has observed “a significant increase in both legitimate and malicious activity surrounding the Coronavirus.” Malicious activity has included emails that appear to be Coronavirus reports from trusted sources, including governments, news outlets, and more.
How to keep your organization safe
To combat Coronavirus phishing threats, organizations’ email security controls need to include sender identity validation, to ensure that only trusted domains, senders, and services get to employees’ inboxes. (Note: This is what Valimail Defend does.)
Merely scanning emails for suspicious or malicious content is not enough. Attackers change the contents and techniques used in their phishing attacks so rapidly that content-centric filtering methods, even those that use artificial intelligence and machine learning, cannot catch everything. Such filtering solutions need to be combined with strong, zero-trust sender identity validation, so that untrusted senders cannot reach the inbox undetected.
Similarly, organizations should ensure that their domains are protected by email authentication with DMARC at enforcement, so they can’t be spoofed with exact-domain attacks. (Note: Getting to DMARC enforcement and staying there with minimal effort is what Valimail Enforce was invented to do).
Fortunately, the CDC’s official domain, cdc.gov, has already done this, with a DMARC record at enforcement. But the WHO’s domain, who.int, does not have DMARC protection.
By focusing on sender identity and blocking emails that originate from unauthenticated sources, we can stop Coronavirus-themed phishing attacks in their tracks.
Find out more about how Valimail can stop lookalike-domain attacks.