Normally we try to allow our personalities shine through our posts, but we are living in abnormal times. The coronavirus (COVID-19) is a pandemic and is affecting everyone and everything. As if worrying about whether or not you will live or die isn’t enough, criminals began capitalizing on the worry and confusion surrounding this threat very quickly.
This quote from Rahm Emanuel holds true for those looking to make changes for the greater good just as it does for cybercriminals who hope to steal money and data. We have been tracking the use of the coronavirus lure since its beginning. We first saw signs that this may be used when the Emotet botnet repurposed a single Japanese language email that contained references to COVID. While it was not necessarily intended to exploit the pandemic threat, it did bring it to our attention as well as a number of Japanese speakers working in cybersecurity.
The beginning of January was dominated by the return of Emotet and its close friends, Trickbot and Ryuk. While Emotet was making the headlines, crafty actors began to realize that they may be able to gain some market share by shifting from the normal invoice themes. One of our first examples of an intentional use of COVID as a lure was back on Jan 31st with a sender of cdc-gov[.]org. This example leveraged a popular service to host a credential phishing page.
Since that time, an explosion of templates has occurred. You can see a selection of those here: https://cofense.com/solutions/topic/coronavirus-infocenter/
We’d like to point out some open source resources for our readers to look at to help defend against this growing threat to their remote workers:
We wish you all the best and hope that you stay safe, both in the real world and on the wire.