In COVID-19 Scam Scramble, Cybercrooks Recycle Phishing Kits

covid-19 scam recycled phishing kits

Old phishing kits are being pressed into service to keep up with the unprecedented volume of new scams that exploit the pandemic.

Phishing attacks looking to take advantage of interest and fear around the COVID-19 health crisis are becoming a pandemic themselves – and apparently cybercriminals are looking to conserve resources by leaning on their older stockpiles of weapons to keep the infection wave going.

Or Katz, a researcher at Akamai, said in a posting on Thursday that older phishing kits that were previously deployed and then retired are being pressed back into service in order to target those working from home. In fact, Akamai researchers have seen recycled phishing kits from as far back as July being used in coronavirus-based phishing attacks now.

Millions of Americans are telecommuting due to self-isolation, mandated quarantine or corporate policies as coronavirus infections continue to spike. Akamai’s team, like many others in the security community, has recently observed phishing attacks that start with SMS messages or emails that direct victims to domains “seemingly related to COVID-19 news, governmental updates, or health-related products and services.”

In the latest attacks, which have been seen globally, victims that click the link are directed to one domain and then immediately redirected to yet another. The second domain spoofs big brands like Microsoft, Orange France and eBay, or health resources such as the World Health Organization or local medical experts.

“By pretending to be an insurance company, bank, medical expert or other trusted brand, criminals are convincing victims to trust them,” Katz wrote. “Once trust is established, the criminal is betting on the victim doing as asked, by opening malicious attachments, following malicious links, and releasing sensitive personal information, in order to enable access to critical applications and services.”

While most of these URLs are new (Katz said that dozens of new coronavirus-based domains are being deployed each day), the phishing kits that operate in the background are not.

In February, just 19 domains using one of the phishing kits in circulation were reused tools. In contrast, in March, 43 of them were recycled – a much higher rate than any of the 15 months previous. And already, in just the first two days of April, a full 26 domains using one of the in-use kits are old weapons.

covid-19 scam domains

Phishing kit reuse over time. Source: Akamai

“The recycling and repurposing of phishing kits themselves are indicative of the turnkey, industrial nature of the phishing industry,” Katz said. The upside however is that the known fingerprint of the older kits makes defenders’ jobs a bit easier, in theory.

COVID-19 Dominates the Cybercrime Scene

The novel coronavirus (and the COVID-19 disease that it causes) has emerged as primary cybercrime theme in the last few weeks as the pandemic takes hold globally.

Just this week for instance, Nokia’s Threat Intelligence Lab has analyzed new campaigns that include a trojan targeting Windows that mimics a real map of confirmed COVID-19 cases (and then steals user data); and the CovidLock Android ransomware, which is an Android app that pretends to give users a way to find nearby COVID-19 patients. Instead, the app locks the device and asks the user to pay $250 in ransom via Bitcoin. Nokia also spotted an Android coronavirus safety-mask SMS scam – an app pretending to help users find safety masks, while in reality stealing contacts and SMS messages.

The banking trojan known as Zeus Sphinx meanwhile was recently spotted joining the growing fray of COVID-19-themed phishing and malspam campaigns, using a government-assistance lure.

covid-19 text mask scam

A typical scam/phishing lure. Source: @HaltonPolice

And, cybercriminals are now hijacking routers and changing Domain Name System (DNS) settings, in order to redirect victims to attacker controlled sites promoting fake coronavirus information apps. If victims download these apps, they are infected with information-stealing Oski malware.

To boot, Cisco has been monitoring adversary activity and has seen a surge in Internet requests to domains that include the over the past two months. Cisco Talos recently stated that it has observed a significant increase in phishing attacks leveraging COVID 19, as well as recent economic stimulus information from the US Government

Also notable: The Cisco Umbrella product team on Wednesday released telemetry numbers on malicious domains related to the keywords “covid” and “corona” – it found that enterprise customers made 562,144 queries to 8,080 unique domains containing these keywords in mid-February. A month later, in March, the company saw a whopping 1,907% increase in requests to such sites, across 47,059 domains containing the keywords. Out of those, 4 percent (1,882 of them) were blocked as malicious sites.

“Criminals have started spreading ransomware and other malware via [coronavirus-themed] email, SMS messages and malicious apps,” Katz wrote. “Others are running scam stores and offering to sell COVID-19 testing kits and related medical supplies. As people transition away from office life to a work-from-home program, criminals recognize that such situations create valuable attack surfaces and are working to take advantage.”


Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.