Covid-19 Fears Present Opportunities for New Phishing Campaigns

Threat actors have jumped aboard the global coronavirus bandwagon in an attempt to capitalize on this global health emergency. Whenever public emotions are running high, cybercriminals try to take advantage of human curiosity, fear, anxiety, and the instinct to react with a sense of urgency.

Always ready, attackers employ scareware tactics during holidays, major sporting events, tax deadlines, industry conferences, and many other highly publicized events to capture personal information and sensitive documents for financial gain.

So when the World Health Organization declared the coronavirus a public health emergency of international concern, the headline grabbed attention around the planet. With much of the world impacted by the unprecedented worldwide pandemic, its the perfect draw for any threat actor. Today there are reports of coronavirus related phishing in the US, UK, Western Europe, India, China, Japan, and other parts of Asia.

There are a wide variety of different coronavirus related scams, attack vectors, and payload variations that have surfaced. Still, credential stealing as the phishing payload and email the initial attack vector is the method of choice so far. Emails with a link to a credential stealing site is a pattern we see regularly. It’s the most popular method threat actors use because it often evades traditional security tools and delivers a higher response rate.

Let’s take a look at what threats look like with coronavirus related credential stealing URLs that SlashNext has detected recently. Including several that are using variations of coronavirus domains to lure targets and exploit them into entering logins and passwords.

The most common is an information and news alert communication that uses a fake login page for credential stealing. In this case it was a social media login for Instagram.

This was a more advanced version of credential stealing asking for a selfie picture submission of an ID photo to confirm identity for PayPal.

Online banks and financial transactions are a big target in credential stealing scams.


Each has a coronavirus related domain or URL variation that cybercriminals used to take advantage of users fears and lure them into submitting information that can be exploited by criminals for personal gain.

Several other prominent security organizations have also reported discovering different coronavirus phishing campaigns including the following examples.

A coronavirus specific email campaign using fake Centers for Disease Control and Prevention (CDC) related domains claiming to have information about new cases locally and asking for Bitcoin donations to fund research.

An imposter email campaign that appears to come from the World Health Organization (WHO) with a link that takes targets to a site looking like it’s from the WHO. But rendered in a frame that is embedded on the fake site is a form asking for email and password confirmation (see below). After the credential stealing form is filled out and submitted, victims are redirected to the legitimate WHO site.

Another campaign asks targets to submit and verify their phone number to login to a site claiming to be from the World Health Organization (WHO).

Needless to say, once a user enters this information, they’ve been phished… their personal credentials can now be used by threat actors to steal or leverage personal data or financial information.

These are great examples of why URL scanning is simply ineffective at threat identification. The two instances we found take advantage of coronavirus related URL variations to confuse targets and others imitate well known health organizations to fool users and play on their emotions. So how do you protect your employees from falling victim?

What Else Can You Do?

Another way to help protect your employees is SlashNext URL Analysis and Enrichment solution. It dives deeper than typical URL scanning and looks beyond the URL to the content on the page itself. Going beyond the URL to perform runtime behavioral analysis on suspicious URLs/webpages using patented, cloud-powered SEER™ threat detection technology, can spot underlying phishing threats. SEER uses virtual browsers to dynamically analyze page content (images, text etc.) and server behavior. Mature machine learning algorithms enable definitive, binary verdicts (not threat scores) with >99.95% precision.

In addition to going beyond a simple URL scan, URL Analysis and Enrichment is fully automated and needs no manual intervention. You just submit URLs through your SOAR platform and get accurate, binary verdicts, quickly. This helps save time and money by eliminating countless hours of analysis and further research on inconclusive results. And by enriching the URLs with a definitive verdict, plus forensics data (including screenshots, HTML, and rendered text combined with reporting artifacts), it speeds up while simplifying the phishing IR processes and reporting.

Free 6-Month Licenses of SlashNext Mobile and Browser Phishing Protection

Because of this spike in COVID-19 phishing threats, SlashNext is offering free 6-month licenses of our new Mobile and Browser Phishing Protection end point solutions to help organizations immediately start protecting their workforce during this crisis. The set-up is quick, and deployment is easy with lightweight browser extensions (Windows, MacOS, ChromeOS, and Linux) and lightweight agents for iOS and Android. This is an opportunity to block these new threats and prevent your employees from clicking through and reaching bad URLs whether they are working remotely or in the office.

To find out how you can eliminate the threat of these coronavirus scareware attacks, contact us and request a demo today.

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.