Nowadays, more than 80% of cyberattacks incorporate a coronavirus theme. Here are three real-life examples of Coronavirus-themed phishing emails that hackers sent specifically to businesses.
The Coronavirus Disease 2019 (COVID-19) pandemic is a topic that is frequently discussed in the news, at work, and at home. It is also a common topic or theme in cyberattacks. “Coronavirus-themed attacks are dominating the threat landscape in a way that is nearly unprecedented,” according to the Proofpoint Threat Research Team. “More than 80 percent of the threat landscape is using coronavirus themes in some way.”
Here are three real-life examples of Coronavirus-themed phishing emails that cybercriminals sent specifically to businesses:
Across the world, companies in the manufacturing, service, and transportation industries have been shutting down their operations to slow down the spread of the coronavirus. As a result, COVID-19 is causing not only a medical crisis but also an economic one.
Cybercriminals have been adapting their phishing emails to reflect this new reality. For example, in one campaign, the lure to get recipients to open a malicious email attachment was the promise of information about COVID-19’s impact on global shipping.
The hackers sent the phishing emails to companies in industries that were particularly affected by disruptions in global shipping. For example, it was sent to companies in the transportation, manufacturing, and pharmaceutical industries.
The email’s attachment was a Microsoft Word document that contained code to exploit a vulnerability in Microsoft Office 2007, Office 2010, Office 2013, and Office 2016. Anyone who opened the document on a computer running an unpatched version of Office 2007/2010/2013/2016 had their machine infected with information stealing malware named AZORult.
A cybercrime group called Ancient Tortoise has incorporated a coronavirus twist in its Business Email Compromise (BEC) scams. Cybercriminals use these sophisticated email attacks to con companies out of sensitive data and money.
In its BEC scams, Ancient Tortoise typically impersonates a legitimate supplier. It sends out payment requests to that supplier’s customers (which are other companies), having them remit their payments to an alternate, fraudulent account. To get the information it needs for the payment requests, Ancient Tortoise typically cons suppliers into providing accounts receivable aging reports — documents that list customers’ unpaid-invoice balances along with information on how long those invoices have been outstanding.
Here is how the coronavirus version of this scam works: After performing recon to learn about the supplier being targeted, Ancient Tortoise makes the initial contact. Posing as one of the supplier’s executives (usually the chief financial officer), it sends an email to an accounts receivable staff member. The email requests an aging report as well as the contact information for each customer listed in it. Ancient Tortoise does not ask the staff member to provide or change any payment account information to avoid raising suspicion.
Ancient Tortoise then contacts the customers in the aging report, requesting payment of their outstanding invoices. The emails note that “Due to the news of the Coronavirus disease (COVID-19) we are changing banks and sending payments directly to our factory.” The customers are instructed to let the email sender know when they are ready to pay their invoices. When the customers do, Ancient Tortoise provides the details for its fraudulent bank account.
In the past, few non-healthcare companies had written policies on how to handle communicable disease outbreaks. That is now changing as a result of the coronavirus pandemic. Cybercriminals are aware of this development, so they are sending phishing emails about these policies to businesses.
For instance, one phishing email read:
Due to the coronavirus outbreak, [company name] is actively taking safety precautions by instituting a Communicable Disease Management Policy. This policy is part of our organizational preparedness and we require all employees to read and acknowledge the policy before [date]. If you have any questions or concerns regarding the policy, please contact [company name] Human Resources.
Employees who clicked the link provided had malicious software installed on their computers.