Hackers Exploit Post-COVID Return to Offices

Spoofed CIO ‘pandemic guideline’ emails being used to steal credentials.

With COVID-19 restrictions lifting and workers trickling back to offices, threat actors are sharpening their spear phishing ploys. The latest scam includes pelting recipients with emails purportedly from their CIOs welcoming employees back into offices.

The emails outline a company’s post-pandemic cubicle protocols, at the same time attempt to steal company and personal credentials. “The body of the email appears to have been sent from a source within the company, giving the company’s logo in the header, as well as being signed spoofing the CIO,” Cofense outlined in a Thursday report.

The fake newsletter explains return-to-work procedures are forcing employees to take new precautions relative to the pandemic, according to the researchers.

COVID Scam Targets Credentials

The spoofed CIO email prompts victims to link to a fake Microsoft SharePoint page with two company-branded documents, both outlining new business operations. In this step the victim is not prompted to input any credentials.

“Instead of simply redirecting [victims] to a login page, this additional step adds more depth to the attack and gives the impression that they are actual documents from within the company,” according to the report.

However, if a victim decides to interact (click) on either document a login panel appears and prompts the recipient to provide login credentials to access the files.

“This is uncommon among most Microsoft phishing pages where the tactic of spoofing the Microsoft login screen opens an authenticator panel,” the report said. “By giving the files the appearance of being real and not redirecting to another login page, the user may be more likely to supply their credentials in order to view the updates.”

Another twist on the tactic serves up the message “Your account or password is incorrect” several times before taking the victim to an authentic Microsoft page, making them think they’ve successfully accessed the files.

Exploitation of COVID-19

With over half of U.S. adults now having received at least one vaccine shot, more employees are going back to work. HR consultancy Mercer reports 61 percent of enterprise employers hope to have half or more of their workforce back in the office by the end of the third quarter of 2021. Bellwether firms Microsoft and Google, for example, have already begun a measured process of repopulating their office cubicles with on premise staff.

This certainly isn’t the first time attackers have used COVID-19 to their advantage.

Vaccine-related spear phishing attacks spiked 26 percent between Oct. 2020 and January 2021, just as the life-saving drugs were being rolled out. Healthcare organizations and hospitals have been specifically targeted as they’ve been crushed under the weight of the pandemic. Between Jan. 2020 and Sept. 2020 10 percent of all organizations targeted by ransomware were hospitals or medical organizations.

Just last month, as governments rolled out pandemic relief payments, attackers used fake U.S. aid payments to deliver Dridex Malware.

“COVID-19 has given us a window into how hackers can exploit human vulnerabilities during a crisis, with healthcare and pandemic-related attacks prevalent in 2020,” Sivan Tehila with Perimeter 81 wrote recently for Threatpost.

Cybercriminals thrive on change and only become emboldened by it, rolling out new cybercrime offenses to exploit trending news events, she said.

Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.

Suggested articles

How REvil May Have Ripped Off Its Own Affiliates

A newly discovered backdoor and double chats could have enabled REvil ransomware-as-a-service operators to hijack victim cases and snatch affiliates’ cuts of ransom payments.

Discussion

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.