Cofense - Security Awareness Training & Email Threat Detection

Emergency Financial Aid Phish

Share This Article

Google Workspace (formerly G Suite) By Dylan Main, Cofense Phishing Defense Center

With widespread financial uncertainty and talks of further stimulus funding in the newsmany are desperate for some form of monetary relief. Threat actors have begun taking advantage of this desperation by creating campaigns tailored to these uncertain times. The Phishing Defense Center (PDC) has discovered a phishing attack that attempts to obtain personal information by exploiting hopes for economic relief.  

A visual representation of the Cofense phishing defense platform

Figure 1: Email Body 

The email itself presents itself as a reply to a filled-out contact form and attempts to get the recipient’s attention through a tone of familiarity. By beginning with “Thank you for contacting us,” the threat actor has made it appear as though the recipient had previously expressed interest in a third party by filling out the form with their email address. The message body then lures the victim with a link to details of an emergency grant of $5,800 available from the U.S. government. By appealing to the current fiscal concerns of many Americans, the threat actor wants to entice the target into clicking the “Read details” link. 

A screenshot of Cofense's threat analysis dashboard

Figure 2: Landing Page of Phish 

Clicking the link redirects to a detailed page that appears to be a legitimate federal government website (Figure 2). Unlike many campaigns, this one goes a step further in terms of attention to detail to make it look like a real government page. The threat actor has added several items to advance its validity, including financial statistics and a detailed outline of this “Emergency Financial Aid.” The page also has a button that allows the person interacting with it an option to verify their data to collect funds. 

A visual representation of Cofense's incident response process

Figure 3: Second Step of Phish 

Clicking the button takes the viewer to the actual phishing page, seen above in Figure 3. Much like the other page, it is detailed and is unlike generic phishing pages. This page asks the user to check compensation eligibility by providing their Social Security Number, address, date of birth and other personally identifiable information (PII). Another detail to note is the form gives a warning that checking another person’s data is strictly prohibited, adding to the seeming authority. By entering data into the requested fields and clicking the “Run Check” button, all of this private information is then sent to the threat actor. 

Fig4-1.jpg: Illustration of Cofense's cyber security solution.

Figure 4: Phishing Page 

The Cofense Phishing Defense Center has also identified a new phishing page that redirects from the same infection URL (Figure 4). This page is similar to the original phish; however, it uses the allure of tax relief for the current coronavirus pandemic to lure people into giving their personal information.   

Fig5.jpg: A visual representation of Cofense's threat intelligence platform.

Figure 5: Phishing Page 

As you can see above, Figure 5 resembles Figure 3 in that it collects PII. However, on this page, a chat window at the bottom right appears to simulate actual conversations between other users apparently excited about the potential tax relief. This is an interesting tactic and adds to the illusion of authenticity.  

Fig6.jpg: A diagram showing Cofense's phishing defense system.

Figure 6: Final Confirmation Page 

After data is entered into either of the two phishing pages, it redirects to a confirmation page thanking the victim for providing their information and promising them a prompt reply. This is just the last of many tricks the threat actor uses to trick the victim into believing that this application is legitimate. It shows that they will attempt to take advantage of any, and all, situations to gain confidential information. 

 Indicators of Compromise 

hXXps://gynexivo[.]page[.]link/HoMkDxuaa5hTwWtg6  172[.]217[.]15[.]110 
hXXp://ungodsirealnighchis[.]gq/us/protecting-americas-consumers-covid/  104[.]24[.]101[.]186 
hXXps://otasasbetiscu[.]tk/us/korona  172[.]67[.]168[.]232 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.