Scams and phishing campaigns making use of the COVID-19 panic have been active and growing since January 2020, but it's not just criminals behind the ongoing trend. Researchers made predictions that state-backed hackers around the world may be exploiting the pandemic as a cover for espionage. Google reported more than 12 state-backed hacking groups using the coronavirus theme to push phishing emails and distribute malware.
The Google Threat Analysis Group (TAG) published findings on two government-sponsored campaigns they were tracking. One of them was targeting US government employees using personal email accounts with phishing emails, posing as updates from fast-food chains with the COVID-19 theme. Google said that some of the emails included coupons amusingly presented as 'pandemic specials,' with others promoting malicious links to portals for online food orders. Once the victims click on these links, they were taken to phishing pages made to collect Google login credentials. The company said that Gmail automatically marked the majority of the phishing emails as spam and blocked the links.
This Week In Malware Ep 12: IC3 Warns Coronavirus-Related Cyber Threats Have Reached Alarming Rates
Hackers are frequently looking at crises as an opportunity, with COVID-19 being no different, according to Shane Huntley, TAG director. He mentioned they were seeing bad actors using the COVID-19 theme to push scams and phishing attacks. The team managed to identify over a dozen government-backed groups that were using the theme for malware and phishing.
TAG shared that the researchers aren't aware of any accounts being compromised as a result of the fast-food campaign. Google notified the people being targeted with a warning about the event. The company mentioned they detected more than 240 million COVID-related spam messages daily. They also had more than 18 million used in phishing and malware emails, with more than 100 million phishing emails a day being blocked.
Health organizations are being targeted across the board
Apart from the campaigns aimed at US government employees, TAG said they were also seeing international health organizations, public health agencies and their workers being targeted. Some of the activities were lining up with Reuters reports starting at the beginning of April about a hacking group called Charming Kitten, backed by Iran and targeting WHO staff.
Attackers are taking advantage of significant news and topics to generate these campaigns and phishing. Threat intelligence company FireEye published a report mentioning the APT 32 state-sponsored hacking group attacking Chinese targets, specifically the Wuhan government and the Chinese Ministry of Emergency Management. The attacks were aimed at gathering intelligence from these sources.
TAG mentioned Google didn't see an increase in overall phishing attacks because of the pandemic, but there was a decrease in the total volume during March. According to Google, these fluctuations are normal, indicating the attackers are facing challenges during the pandemic as well.