A recently uncovered phishing campaign used fake COVID-19 vaccination forms – and took advantage of confusion over whether employees will return to their offices this fall – to harvest workers’ email credentials, according to analysts with security firm INKY.
During this phishing campaign, which was active earlier this month, the fraudsters appeared to have used compromised email accounts to send realistic-looking emails to employees that purported to come from the targeted company’s human resources department, according to INKY researchers. These messages contained a malicious PDF link that would take victims to a phishing page to harvest their Microsoft Outlook credentials.
In some cases, the fraudsters also looked to steal personally identifiable information, such as full name, birthdate and mailing address, according to the report.
Once the credentials were harvested, the victim was redirected to a Santa Clara County government website in California that provides COVID-19 information to the public, the INKY analysts note. This was designed to confuse the victims and draw attention away from the attack.
This particular phishing campaign was notable for using social engineering techniques concerning the spread of the COVID-19 Delta variant and how this phase of the pandemic might affect employees returning to offices in the fall (see: COVID 19: What Delta Variant Means to Business Recovery).
“By August, the Delta variant cast its pall over everyone’s hopes for going back to normal. First, vaccinated workers felt nearly invulnerable,” according to the report. “Then, breakthrough cases started making the news. This confusion was a perfect environment for black hats to introduce a new form of phish.”
The INKY report notes that this particular campaign appeared in a limited number of employee inboxes – about 60 – and did not appear successful, although it’s not clear if the attacks are ongoing or have stopped as of now.
Attack Process
Since the phishing emails appeared to originate from legitimate accounts, the messages were able to bypass security tools such as sender policy framework, or SPF; domain keys identified mail, or DKIM; and domain-based message authentication, reporting and conformance, also known as DMARC; according to the report.
“It sent the lures from legitimate but hijacked email accounts to evade standard security checks. If the recipient clicked through, they were taken to a hijacked web page that impersonated a trusted brand. Because the phishers used a hijacked site, their exploit had not yet appeared on any threat intelligence feed,” the report says.
Phishing page designed to harvest Microsoft Outlook credentials (Source: INKY)
The phishing emails contained a blue anchor text with a link to a PDF file – “Certification-Vaccination-Status-Form.pdf.” If clicked, the link took the targeted employee to a malicious domain that impersonated a Microsoft Outlook web app login page. This landing page was then used to harvest credentials, the report notes.
Other Phishing Campaigns
Since June, the number of COVID-19-themed phishing attacks has increased as concerns over the Delta variant have increased, according to a report published earlier this month by security firm Proofpoint.
“The increase in COVID-19 themes in Proofpoint data aligns with public interest in the highly contagious COVID-19 Delta variant,” the report notes. “According to global Google Trend data, worldwide searches for ‘Delta variant’ first peaked the last week in June 2021 and have continued through August 2021 so far.”
The Proofpoint report notes that these phishing campaigns using COVID-19 and the Delta variant as a lure have been used to steal Office 365 and Outlook email credentials, such as the one uncovered by INKY, as well as to spread malware, including RustyBuer, Formbook and Ave Maria.