Proofpoint researchers have observed an emerging trend of credential phishing and social engineering lures around COVID-19 financial relief. These campaigns use the promise of payments by global governments and businesses (specifically financial institutions) aimed at easing the economic impact of the ongoing pandemic to urge users to click links or download files.
In this credential phishing update surrounding payment fraud news, we highlight a few of these campaign examples that are targeting those in the U.S., UK, Australia.
Government-Themed Attacks
Credential Phish: Trump Administration Covid-19 Check for Most Americans
Key Points: This medium-sized credential phish campaign primarily targeted U.S. healthcare and higher education organizations with a message claiming that the Trump administration is considering sending most American adults a check to help stimulate the economy. The email asks recipients to verify their email account through a malicious link that directs them to a phishing page.
Figure 1 US Payroll COVID-19 Relief Lure
Government-Themed Attacks Summary:
This medium-sized credential phishing campaign primarily targeted the United States and was largely sent to healthcare and higher education organizations. Secondary targeting for this campaign includes the technology industry, including information security companies. The messages are notable for its crude design, as the message has clear grammar and usage errors and uses a basic webpage clearly branded by a free website maker for its credential phishing.
The email notes that “the Trump administration is considering sending most American adults a check for $1,000 as part of the efforts to stimulate the economy and help workers whose jobs have been disrupted by business closures because of the pandemic”.
Recipients are directed to verify their information for the “new payroll directory” by clicking the malicious link in the email.
If the recipient clicks the link, they are taken to the phishing page which asks for their domain\username, email address and password as shown in Figure 2.
Figure 2 US Payroll COVID-19 Relief Credential Phishing Page
Credential Phish: Australian Government Coronavirus/COVID-19 Tax Relief
Key Points: This campaign claims to be sent by a major Australian newspaper and uses subject lines such as "Government announces increased tax benefits in response to the Coronavirus." The messages contain a .PDF attachment with an embedded URL that leads to a OneDrive credential phishing page.
Figure 3 Australian COVID-19 Tax Benefit Lure
Credential Phish: Australian Government Summary:
The emails within this campaign claim to be delivered by a major newspaper in Australia. Figure 3 shows that it is actually delivered by a Romanian top-level domain address of “.ro.” To appear authentic, the message includes supposed contact information for the paper and notes that they are “…happy to advise that we have now moved back to” the address provided. It’s notable that the address in the email does not match the newspaper being spoofed.
The email claims that the “Government has released its stimulus package in response to the Coronavirus outbreak” and encourages the recipient to open the malicious attachment for more details.
The attachment is an Adobe .PDF document with spoofed Microsoft OneDrive branding that informs users that “Your document is waiting for you” and encourages them to click the embedded link as shown in Figure 4.
Figure 4 Australian COVID-19 Tax Benefit Malicious Attachment
After clicking the link, the recipient is taken to a page that asks for their Microsoft OneDrive credentials.
Credential Phish: WHO-IMF “Relief Compensation” Steals Emails and Passwords
Key Points: This small email campaign targets technology and IT organizations with a subject line of "COVID 19 : Relief Compensation." It claims to come from the World Health Organization (WHO) and the International Monetary Fund (IMF) and says the recipient has “been randomly selected to be compensated financially due to the outbreak of the COVID-19 Epidemic outbreak” with a malicious Microsoft Excel branded attachment that gathers emails and passwords.
Figure 5 Fake WHO and IMF Compensation Lure
WHO Credential Phish Summary:
This small email campaign targets technology and IT companies and arrives with a subject line of "COVID 19 : Relief Compensation." It claims to come from the World Health Organization (WHO) working with the International Monetary Fund (IMF). It tells the recipient that they have “been randomly selected to be compensated financially due to the outbreak of the COVID-19 Epidemic outbreak”. It goes on to say that the recipient will be “paid through our paying center in london [SIC] for your compensation payment from the International Monetary Fund Office treasury account.” To obtain these funds, the recipient is instructed “view the attached file to print your winning confirmation.”
The attachment is a malicious HTML attachment titled "COVID18-COMPENSATION.html" (note the error of “COVID18 rather than COVID19”). When the attachment is opened it displays a fake Microsoft Excel branded page that asks for the recipient’s email and password as shown in Figure 6.
Figure 6 Fake WHO and IMF Compensation Malicious Attachment
Credit Card-Themed Attacks
Credential and Credit Card Phish: "Claim Your Covid-19 Cash" for Major U.S. Credit Card
Key Points: The message below is part of a small email campaign that attempts to steal user IDs, passwords, and credit card numbers. It targets information security and technology organizations and uses the subject line "Claim Your Covid-19 Cash." To increase creditability, it claims to come from a major United States credit card company and promises to waive late fees and issue a credit of up to US $5,000.
Figure 7 Major US Credit Card "Claim Your COVID-19 Cash" Lure
Credit Card-Themed Attacks Summary:
This small email campaign targets information security and technology organizations and arrives with a subject line of "Claim Your Covid-19 Cash" claiming to come from a major United States credit card company and abuses their branding extensively. The email indicates that “[l]ate payment fee waived and a credit of up to $5000 has been assigned to you [the recipient] due to the COVID-19 pandemic.” The email also contains a “Claim Now” link that takes the recipient to a spoofed page for the credit card company that attempts to steal the user's ID, password, email, credit card, and other details.
Credit Card Phishing: Major UK Bank “COVID-19 Relief measures”
Key Points: If recipients click the COVID-19 relief message below, threat actors can steal their personal information and credit card numbers. This is part of a large email campaign targeting manufacturing, technology, transportation, healthcare, aerospace, retail, energy, technology, business services, and hospitality companies. It claims to be from a major United Kingdom bank and offers 300 SGD (Singapore dollars, approximately US$210).
Figure 8 Major UK Bank "COVID-1 Relief Measures" Lure
UK Bank Credit Card Phishing Summary:
This is a large email campaign primarily targeting manufacturing, technology, and transportation, but also healthcare, aerospace, retail, energy, technology, business services, and hospitality companies.
This campaign claims to be from a major United Kingdom bank with global customers and spoofs their branding. These emails have a subject line of "COVID-19 Relief measures : FINANCIAL SUPPORT WITH" and names the bank. The body of the message tells the recipient that the bank “care[s] about the well-being of our customers and community. To ease your financial burden during this COVID-19 outbreak, we are offering relief measures to help our existing credit card customers.”
The email offers 300 SGD (Singapore dollars, approximately US$210) and tells the recipient to “Start Here” to claim the money by clicking on a link.
The link will take the recipient to a spoofed page for the bank that asks for their name, address, and credit card number as shown below in Figure 9.
Figure 9 Major UK Bank "COVID-1 Relief Measures" Phishing Page
Conclusion
The ongoing shift to coronavirus-themed messages and campaigns is truly social engineering at scale and these recent payment-related lures underscore that threat actors are paying attention to new developments. We anticipate threat actors will continue modifying their strategies as the news surrounding COVID-19 shifts.