COVID-19: Real-Life Examples of Opportunistic Phishing Emails

  • 15 April 2020

A few weeks ago we published the post below, which included real-world examples of opportunistic phishing attacks exploiting COVID-19. One of the phishing attacks pretended to be from “Management” and contained an attachment with guidance on how to stay safe. Another attack was designed to look like an account activation email for a remote-working tool; it was sent by “IT Support.”

We have two more real-world examples, and this time the attackers are impersonating a company that has seen tremendous attention and adoption with the rise of remote-working: Zoom. 

Phishing Email #1: Your CEO is Waiting for You

What’s wrong with this email?

  1. The Display Name ([email protected]) and the email address do not match. The actual sender address is [email protected]
  2. The attacker, who sent the email on a Friday afternoon, is hoping that the target will a) be motivated to respond quickly to a meeting request from the CEO and b) be less scrutinizing and security-conscious as it’s the end of the week. 
  3. The target is being encouraged to click on a seemingly legitimate Zoom link, which would likely lead to a malicious site or could deploy malware. 
  4. Upon hovering over the provided link, you’ll find the URL is actually different than the hyperlink would lead you to believe
  5. The closing of the email is suspicious: “This message is from your company’s IT.”

NB: This phishing email is a direct spoof and was prevented because of DMARC; it was automatically sent to a Spam folder. If you haven’t set your DMARC records correctly, these emails will fly past existing defenses.

Inspect links carefully: here, destination URL and hyperlink do not match

Phishing Email #2: Generic Zoom Spoof

What’s wrong with this email?

  1. The Display Name (tessian.com ZoomCall) and the email address do not match, but the attacker is hoping the recipient doesn’t look beyond the sender Display Name.
  2. The conference call time and date in the email subject line seem to have already passed, based on when the attack was received. Note this email was received at 3:22am, so would likely be the first email the recipient reads in the morning. 
  3. The email contains the message “Zoom will only keep this message for 48 hours.” This combined with the subject line adds a sense of urgency and could potentially convince the recipient they’ve missed something important and should quickly try to remedy it. 
  4. The target is being encouraged to click on a seemingly legitimate Zoom link, which would likely lead to a malicious site or could deploy malware. 

We’ve been pulling together guidance and resources to help employees and businesses stay safe while working remotely. If you suspect you’ve been targeted by a phishing attack, do not click any links or download attachments. Instead, directly contact the sender via phone or a messaging app to confirm legitimacy of the email and immediately alert your IT or security team.

__________________________________________

Original post from Tuesday March 24, 2020

Over the last several weeks, there’s been a surge in opportunistic phishing attacks in which hackers are using the outbreak of COVID-19 to dupe targets into following links, downloading attachments, or otherwise divulging sensitive information. 

We highlighted a few examples of phishing scams both consumers and employees should be aware of in our blog post, Coronavirus and Cybersecurity: How to Stay Safe from Phishing Attacks. Importantly, though, the examples were anecdotal. 

Now, we want to share two real-life examples that Tessian Defender has flagged internally since the original blog was published. 

Phishing Email #1: The Attacker is Capitalizing on Fear Around COVID-19

Display and domain do not match

What’s wrong with this email?

  1. The Display Name (Information Unit) and the email address do not match at all. (What’s more, ‘Information Unit’ is not a genuine internal group at Tessian.)
  2. The attacker, who sent the email late-afternoon on a Friday, is no doubt hoping that the target – our marketing team –  is less scrutinizing and security-conscious as the week comes to a close, especially when employees across the globe are working from home.
  3. The target is being encouraged to download an attachment, which opens a fake login page to steal the victim’s credentials.
  4. The email is rife with spelling and grammar errors as well as formatting inconsistencies and the unconcerned, mechanical language is out-of-character for anyone in management, especially given the content of the email. 
  5. The attacker used complex encoding to try to evade traditional phishing detection tools that would scan for certain keywords in the email’s body. How? By interspacing different invisible characters between other characters so that the content looks like gibberish.

Below is a screenshot of encoding in the email body for reference. Here, you see the characters marked “transparent”; those are the invisible characters.

Phishing Email #2: The Attacker Baits the Target With a Remote-Working Tool

What’s wrong with this email?

  1. The Display Name ([email protected]) and the email address are in stark contrast.
  2. This sender’s email address is a direct spoof of the domain (tessian.com).
  3. The attacker is taking advantage of the fact that many employees around the world are now suddenly working from home and in need of remote-working tools. Therefore, targets are more likely to trust that their employer has, in fact, set them up for remote connection provided by a VPN vendor.
  4. The way this email is constructed – poor grammar and impersonal – makes it obvious to a Tessian employee that this is not legitimately from our IT manager.

The target is being encouraged to follow a link, which looks inconspicuous. But, upon hovering, you’ll see that the link the target will actually be led to is suspicious.

Important: Because Tessian has DMARC enabled, emails that spoof our domain are automatically sent to “quarantine”. That means the email was never actually received by the target and instead went straight to a spam folder. Unfortunately, though, a lot of companies don’t have DMARC enabled. In fact, nearly 80% of domains have no DMARC policy.

Now that you know what these opportunistic phishing emails look like, what do you do if you’re targeted? That is, after all, what’s really important when it comes to preventing a data breach. 

What to Do If You’re Targeted by a Phishing Attack

  1. If anything seems unusual, do not follow or click links or download attachments. Instead, visit the brand’s website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid.
  2. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative. 
  3. If you’re an employee who’s been targeted, contact your line manager and/or IT team.

Unfortunately, hackers are taking advantage of other opportunities to target individuals and businesses, including:

  1. Tax Day
  2. The US Census
  3. Stimulus Checks 

You can also find information, including the types of brands and people hackers try to impersonate and how to spot a suspicious or spoofed email address, here.