Over the last two months threat actors have increased their efforts luring victims with COVID-19 vaccine news such as approvals of the vaccine by world governments, logistics of vaccine deployment, etc. to spread malware, phishing, and Business Email Compromise attacks (BEC).
The attacks target users in organizations located in the United States, Canada, Austria, and Germany by impersonating organizations, including the WHO, DHL, and vaccine manufacturers. The themes leveraged a range of topics, including the fear that a person had encountered an infected individual; government vaccine approvals and economic recovery fueled by the vaccine; and sign-up forms to receive the vaccine, information updates, and vaccine shipment delivery, according to a new report fr om the cybersecurity company Proofpoint.
At the start of this year, the researchers observed a phishing campaign aimed at stealing Microsoft Office 365 login credentials that over four days targeted dozens of different industries in United States and Canada. The emails urged the potential victims to click a link to “confirm their email to receive the vaccine”.
“This campaign was notable because it capitalized on the recent government approval of vaccines and the rush to receive it. Specifically, the email talks about "Government approval of the COVID-19 vaccine" and provides a link wh ere one can supposedly register to receive it. At the time of this campaign, the vaccine in the United States was still available to first responders and doctors on the front lines,” Proofpoint reports. “The campaign also abused the brands of COVID-19 vaccine manufacturers as the lure in some of the emails. Other emails did not mention specific brands.”
The observed BEC attack campaigns, however, were far more targeted. They reportedly gave information on a bogus merger/acquisition and were sent directly to senior executives in the affected organizations.
In one of the campaigns attackers used "COVID-19 APPROVED NEW VACCINES" as the email lure and abused the World Health Organization logo and name. The email contained an attachment with an executable, which drops and runs Tesla Agent keylogger.
In another attack hackers used the DHL brand to steal email login credentials. Both malicious campaigns used news on COVID-19 vaccines to trick users into clicking on malicious links.