What is happening?
Coronavirus, now known as COVID-19, has become a pressing issue globally as cases have continued to spread at a rapid pace. While physical health is a top concern, you should also be aware that many cybercriminals are taking the fear of Coronavirus as an opportunity to get access to your secure data.
As a “Security First” organization, OneLogin strives to deliver the latest threat information to our audience so that you can take the proper precautions to protect the data of your business, your employees, and your customers.
To take advantage of people’s fears and interest in the topic of Coronavirus, we are starting to see phishing attacks from cybercriminals who are sending emails under the guise of the World Health Organization and the Center for Disease Control. Subject lines warn users of “New outbreaks in your area” or “Find out how to protect yourself from the Coronavirus.” These emails are promising the readers that if they “click here” they will find out more information about the coronavirus. These are phishing attacks, pure and simple. When a reader clicks on the link they are redirected to a form and asked to fill in personal information such as username or password, or the link simply downloads malware onto the recipient’s machine. In some cases, the emails have attachments that contain malware.
In a report published earlier this month, Proofpoint researchers wrote: “In this latest round of campaigns, attackers have expanded the malware used in their Coronavirus attacks to include not just Emotet and the AZORult information stealer, but also the AgentTesla Keylogger and the NanoCore RAT—all of which can steal personal information, including financial information.” Emotet and AZORult can often bypass many malware scanners. They can also be used to download and deliver other Trojans and Ransomware. One of the favorite delivery mechanisms is to hide these information stealers in Microsoft attachments as Macros that run when the document is opened. AgentTesla Keylogger and NanoCore RAT also tend to piggyback on document attachments. They not only steal user information but can give the attacker the capability of controlling the user’s machine remotely.
This is a hostile attempt to take advantage of the public’s fear of coronavirus and trick them into sharing personal information as well as possibly financial and business information.
What can you do to protect yourself?
We want to make sure that you are informed and know how to protect yourself and your company. The WHO and the CDC are aware of these phishing attempts in their name and the WHO has actually provided some helpful guidelines. According to the World Health Organization, they will never:
- Ask you to login to view safety information
- Email attachments you didn’t ask for
- Ask you to visit a link outside of www.who.int
- Charge you money to apply for a job, register for a conference, or reserve a hotel
- Conduct lotteries or offer prizes, grants, certificates or funding through email
- Ask you to donate directly to emergency response plans or funding appeals.
If you do not already do so, make sure to educate your users on the dangers of phishing attempts. We regularly have our users go through security training to educate them on how to identify and handle phishing emails. Companies like KnowBe4 provide a wide choice of Security Awareness training that you can make available to your employees. Here is a list of WHO guidelines to prevent phishing:
Verify the sender by checking their email address.
Make sure the sender has an email address such as ‘email@example.com’ If there is anything other than ‘who.int’ after the ‘@’ symbol, this sender is not from WHO.
WHO does not send email from addresses ending in ‘@who.com’ , ‘@who.org’ or ‘@who-safety.org’ for example.
Check the link before you click.
Make sure the link starts with ‘https://www.who.int’. Better still, navigate to the WHO website directly, by typing ‘https://www.who.int’ into your browser.
Be careful when providing personal information.
Always consider why someone wants your information and if it is appropriate. There is no reason someone would need your username and password to access public information.
Do not rush or feel under pressure.
Cybercriminals use emergencies such as COVID-19 to lure people into making decisions quickly. Always take time to think about a request for your personal information, and whether the request is appropriate.
If you gave sensitive information, don’t panic. If you believe you have given data such as your username or passwords to cybercriminals, immediately change your credentials on each site where you have used them.
If you see a scam, report it.
If you see a scam, tell us about it.
Report a scam
You can also go straight to the source for information on the coronavirus:
We cannot state this enough! Keep your employees informed and educated. Security First is one of our main values here at OneLogin. The cybercriminals are creative and persistent. Let us help you keep your user access secure. Stay tuned for the next parts of this series: