Cisco Ironport By Ala Dabat, Cofense Phishing Defense Center
The Cofense PDC (Phishing Defense Center) has seen a continuous campaign by malicious actors exploiting the COVID-19 pandemic by using cleverly crafted phishing–email campaigns to harvest sensitive user data and spread malicious payloads across industry sectors.
One such example seems to exploit the sense of urgency felt among employees for tests to screen for the COVID-19 virus. Recipients’ vulnerability is leveraged in attacks such as the one in Figure 1, a seeming Google form issued to employees by the targeted company(s).
The aesthetics of this particular campaign are solid and simple enough to reach users in environments protected by secure email gateways (SEGs).
The email appears to be from the target company and its legitimacy is reenforced by references to guidelines and protocols issued by the “United States Department of Health.” Employees are advised that these protocols will facilitate the screening process, a clever way to persuade recipients to hand over credentials and other sensitive information (Figure 2).
In the above example, targeted users are redirected to a Google Doc landing page hosting the malicious website. A legitimate Google–registered URL can often convince even security conscious users into handing over their information.
Figure 3 shows that the threat actor is blending common screening questions with the request for sensitive credentials, possibly to divert recipients from the threat.
Once the form has been completed, recipients are told to provide a digital signature to wrap up the fraudulent screening application and submit the data to a command-and-control server that stores the harvested information.
Indicators of Compromise