Cofense Email Security

Coronavirus Screening and Testing Phishing Emails, and a Sense of Urgency Among Employees

Cisco Ironport  By Ala Dabat, Cofense Phishing Defense Center

The Cofense PDC (Phishing Defense Center) has seen a continuous campaign by malicious actors exploiting the COVID-19 pandemic by using cleverly crafted phishingemail campaigns to harvest sensitive user data and spread malicious payloads across industry sectors.  

One such example seems to exploit the sense of urgency felt among employees for tests to screen for the COVID-19 virus. Recipients’ vulnerability is leveraged in attacks such as the one in Figure 1, a seeming Google form issued to employees by the targeted company(s). 

Graphical representation of phishing email volume and trends

Figure 1 

The aesthetics of this particular campaign are solid and simple enough to reach users in environments protected by secure email gateways (SEGs). 

The email appears to be from the target company and its legitimacy is reenforced by references to guidelines and protocols issued by the “United States Department of Health.” Employees are advised that these protocols will facilitate the screening process, a clever way to persuade recipients to hand over credentials and other sensitive information (Figure 2). 

Graphical representation of phishing email attack techniques

Figure 2 

In the above example, targeted users are redirected to a Google Doc landing page hosting the malicious website. A legitimate Googleregistered URL can often convince even security conscious users into handing over their information. 

Graphical representation of phishing email targets and industries

Figure 3 

Figure 3 shows that the threat actor is blending common screening questions with the request for sensitive credentials, possibly to divert recipients from the threat. 

Email Security threat intelligence and reporting dashboard

Figure 4 

Once the form has been completed, recipients are told to provide a digital signature to wrap up the fraudulent screening application and submit the data to a command-and-control server that stores the harvested information. 

Dashboard showing phishing email trends and statistics

Figure 5 

Indicators of Compromise 

Link  IP 
hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSdoUChSaN51UxKlyDMXUCOg6v5dMrqrcbDjFhX9LEFQ0zKWDQ/viewform?vc=0&c=0&w=1&flr=0&usp=mail_form_link 

 

172[.]217[.]9[.]206 

 

All third-party trademarks referenced byCofensewhether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship betweenCofenseand the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 
   
TheCofense® and PhishMe® names and logos, as well as any otherCofenseproduct or service names or logos displayed on this blog are registered trademarks or trademarks ofCofenseInc. 

Share This Article
Facebook
Twitter
LinkedIn

Search

We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.