Top Email Protections Fail in Latest COVID-19 Phishing Campaign

An effective spoofing campaign promises users important information about new coronavirus cases in their local area, scooting past Proofpoint and Microsoft Office 356 ATPs.

Threat actors continue to capitalize on fears surrounding the spread of the COVID-19 virus through a surge in new phishing campaigns that use spoofing tactics to effectively evade Proofpoint and Microsoft Office 365 advanced threat protections (ATPs), researchers have found.

The Cofense Phishing Defense Center (PDC) discovered new phishing attacks that use socially engineered emails promising access to important information about cases of COVID-19 in the receiver’s local area, according to a blog post published Tuesday by Cofense researcher Kian Mahdavi.

The emails evade basic security checks and user common sense in a number of ways, to circumvent detection and steal the user’s Microsoft log-in credentials, he said. They also don’t include specific names or greetings in the body of the messages, suggesting they are being sent out to a broad target audience, according to Cofense.

“While these secure email gateways (SEGs) are designed to safeguard end users from clicking on malicious links and attachments, both failed in a new phishing attack we recently observed,” Mahdavi wrote in the post.

To evade detection by ATPs, the threat actor impersonates the domain splashmath[.]com –which is an online learning game for children — using a spoofed IP address located in the United States, 167[.]89[.]87[.]104. Upon further examination, however, the emails — sent to a number of people — didn’t come from the spoofed address, but rather an IP corresponding with the Lithuanian city of Kaunas (a situation that also points to a single individual being behind the campaign, the researcher said).

“[Because of the proxy], the email slipped past basic security checks, such as DKIM and SPF,” Mahdavi wrote.

DKIM, or DomainKeys Identified Mail, is a standard meant to ensure that the content of your emails remains trusted and hasn’t been tampered with or compromised. SPF, or Sender Policy Framework, hardens DNS servers and restricts who can send emails from a given domain. Both were developed to prevent domain-spoofing.

Once the phishing emails get past the Proofpoint and Microsoft Office 365 ATPs, the actor spoofs the sender email address and uses keywords in the subject to trick the targeted victim into believing the emails come from a trusted source of information regarding COVID-19.

For instance, the words “WHO” and “community” in the email address (who[.]int-community[.]spread@ splashmath[.]com) aim to fool the user into believing the World Health Organization (WHO) is sending the email, Mahavi wrote.

The subject of the email – “HIGH-RISK: New confirmed cases in your city” — also is designed to trick users into thinking the message will offer vital information legitimately related to the novel coronavirus, he said.

“[This subject], followed by the spoofed WHO email address and display name, thus [make] it appear as if the sender is really from the World Health Organization,” Mahavi wrote.

The email’s message also is socially engineered to take advantage of the current obsession with information about COVID-19, luring users by urging them to click on “Read on” to find out about cases in their local area.

Users may click on the words expecting to be directed to a link that would include updated documents by the WHO with that kind of information, the researcher said.

“However, the user is actually directed to a Microsoft branded credential phish to steal their Microsoft log-in information,” Mahavi wrote.

Malicious links used in the campaigns observed by Cofense include:

hXXps://heinrichgrp[.]com/who/files/af1fd55c21fdb935bd71ead7acc353d7[.]php
hXXps://coronasdeflores[.]cl/who
hXXps://www[.]frufc[.]net/who/files/61fe6624ec1fcc7cac629546fc9f25c3[.]php
hXXps://pharmadrugdirect[.]com/who
hXXps://ee-cop[.]co[.]uk/who/files/3b9f575dac9cc432873f6165c9bed507[.]php

These links also are deceptive to users in that they each show a “high-quality, spoofed Microsoft login page” once accessed, Mahavi wrote.

Once a user clicks on one of these malicious redirects, his or her email address is attached within the URL of the webpage, which means the individual’s username automatically appears in the login box.

“Upon logging in, the user is under the impression he or she has been authenticated into a legitimate Microsoft website,” he said. “At this point, the user’s credentials are unfortunately in the hands of the threat actor.”

This latest campaign is one of many new cyber-attacks that has been created by threat actors and used in the last month as the spread of COVID-19 turned into an official pandemic and governments around the world began implementing lockdowns of local populations and businesses.

In addition to using promised information from the WHO to lure users in phishing emails, attackers also have been targeting  the organization itself, with cyber-attacks on WHO doubling since the COVID-19 outbreak, officials said. In one recent attack, the DarkHotel APT group was blamed for trying to infiltrate WHO networks to steal information about coronavirus testing or potential cures.

Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles

Report Looks at COVID-19’s Massive Impact on Cybersecurity

Report Looks at COVID-19’s Massive Impact on Cybersecurity

Cynet’s report shares several interesting data points and findings, such as the cyberattack volume change observed in various industry sectors, the increased use of spearphishing as an initial attack vector, and the approaches being used to distribute malware in spearphishing attacks.

Discussion

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.