‘Hack-For-Hire’ Firms Spoof WHO To Target Google Credentials

google tag report covid-19 cyberattacks

Google TAG report reveals that “hack for hire” firms are tapping into the coronavirus pandemic via WHO phishing lures.

“Hack-for-hire” organizations are the latest group of cybercriminals to take advantage of the ongoing coronavirus pandemic, using COVID-19 as a lure in phishing emails bent on stealing victims’ Google credentials.

Researchers with Google’s Threat Analysis Group (TAG) warned that they’ve spotted a spike in activity from several India-based firms that have been creating Gmail accounts that spoof the World Health Organization (WHO) to send coronavirus-themed phishing emails.

“The lures themselves encourage individuals to sign up for direct notifications from the WHO to stay informed of COVID-19 related announcements, and link to attacker-hosted websites that bear a strong resemblance to the official WHO website,” according to Shane Huntley, in Google’s TAG  bulletin for the first quarter of 2020.

These websites purport to be fake login pages, that then convince victims to hand over their Google account credentials and personal identifiable information (PII), like their phone numbers.

phishing WHO

The accounts have largely targeted business leaders in financial services, consulting and healthcare corporations within numerous countries, including the U.S., — as well as Bahrain, Canada, Cyprus, India, Slovenia and the U.K.

Over the last months, Google said they sent 1,755 warnings to users whose accounts were targets of government-backed attackers in coronavirus-related campaigns. These included attacks from advanced persistent threat (APT) group Charming Kitten on medical and healthcare professionals, including WHO employees. The WHO in particular has attracted the notice of cybercriminals as the worldwide COVID-19 pandemic continues to play out, with a doubling of attacks recently, according to officials there. That includes recent reports that the DarkHotel APT group has tried to infiltrate its networks to steal information.

“Generally, 2020 has been dominated by COVID-19. The pandemic has taken center stage in people’s everyday lives, in the international news media, and in the world of government-backed hacking,” said Huntley.

YouTube-Based Campaigns

Another top trend that researchers highlighted as part of their Q1 2020 TAG bulletin is a spike in influence campaigns launched via YouTube, Google AdSense, Google Play and advertising accounts.


This includes a coordinated influence operation that was disbanded in February, leading to the termination of 82 YouTube channels and one advertising account. The campaign was linked to Egypt, sharing political content in Arabic supportive of Bahrain, Egypt, Saudi Arabia and the UAE, and  and critical of Iran and Qatar. Another March influence campaign, linked to India, led to the termination of  three advertising accounts, one AdSense account, and 11 YouTube channels. The campaign was sharing messages in English supportive of Qatar, according to Google.

Huntley said that since March, Google has removed more than a thousand YouTube channels that are believed to be part of a large campaign and that were behaving in a coordinated manner.

“These channels were mostly uploading spammy, non-political content, but a small subset posted primarily Chinese-language political content similar to the findings of a recent Graphika report,” said Huntley.

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.