Coronavirus Email Scam – Beware of Phishing emails, Malware, Fake Alerts, Spoof Websites, and Cyberthreats
A new Coronavirus Email Scam and a malware campaign both attempt to take advantage of people’s fears about the new Coronavirus. As the Coronavirus number of infected exceeds 20,000, the phishing email scam exploits people’s concern about the spread of the novel coronavirus (2019-nCoV) reported by the World Health Organization (WHO) to have originated in Wuhan, China. There is also a Coronavirus themed malware campaign distributed via spam email as well as the appearance of virus themed spoof websites. The goal of these cyber attacks is to steal banking credentials and your money.
The US Department of Homeland Security recently warned the public of an increase in Emotet malware attacks on businesses. The warning involves Emotet malware which is a top destructive malware infecting state, local, tribal, and territorial governments. The most destructive attacks have cost close to one-million USD to remediate.
The email scam targets people in Australia, Austria, Barbados, Germany, Hong Kong, Japan, Malaysia, Singapore, Spain, Switzerland, the United Arab Emirates, the United Kingdom and the United States. The malware primarily targets people in Japan. It is expected that the number of cyber threats, emails scams, and malware attacks will increase over time as the Coronavirus spreads further.
It’s common for hackers and scammers to use global news events, holidays, natural disasters, and health crises are all commonly used in phishing email attacks and malware campaigns. Unfortunately, opportunistic hackers also spoof donation websites in hopes of scamming money from donors who are trying to help people in need. Quality antivirus software can screen from malicious files and links. It can also be used to remove malware. Using a virtual private network (VPN) can prevent your credentials from being stolen by hackers.
Coronavirus Themed Malicious Files
According to cyber security research firm Kaspersky Lab malicious pdf, mp4, and docx files are circulating disguised as information relating to the novel Coronavirus. According to Kaspersky, “The file names imply that they include virus protection instructions, current threat developments, and even virus detection techniques.” However, downloading the files launches a malware attack instead.
Coronavirus Themed Malware Attacks
A malware attack launched from an email scam delivers Emotet malware and botnet cyber attacks via large volume spam emails. The emails primarily target Japan and contain messaging about newly reported cases of Coronavirus. The email urges the reader to open the attachment to read an important virus-related message and get helpful information.
What is Emotet Malware?
Emotet is a banking malware than can be used to download other malware to infected devices. It was designed to steal banking credentials for banking fraud. TA542 has used Emotet for banking fraud campaigns targeting banks in Germany, Austria, and Switzerland. The latest version of Emotet now uses third-party malware to carry out its work.
Emotet malware steals login credentials from web browsers and email clients. The malware can also steal the subject, body, sender’s name, recipient’s name and email address. It infects more devices by sending spam emails and forwarding itself to email contacts from an infected device. That’s why it is important to use a unique password for every online account.
Emotet malware is capable of reviving older email threads to increase infection rates.
The Coronavirus email scam and malware attack is the work of TAS542 a hacking group that has used malicious attachments in scam emails for their previous attacks. One of their more recent malware email scam campaigns contained activist Greta Thunberg themed content. The scam email contains an attachment that appears to contain an urgent message relating the spread of the novel Coronavirus but is instead a weaponized file.
What Is TA542?
TA542, also known as Mummy Spider, is an organized threat actor group that consistently uses a malware payload called Emotet. TA542 typically sends large scale spam email campaigns. The latest version of Emotet malware, aka Geodo, has been delivered in widespread global email phishing campaigns in North America, Central America, South America, Europe, Asia, and Australia.
Emotet malware has also been used to deliver more malware including Qbot, The Trick, IcedID, and Gootkit.
According to cyber security researchers at Proofpoint, TA542 uses subject lines that contain financial themes that usually refer to transactions, payments, or invoices. The scam emails contain malicious attachments or links to malicious documents. A typical Emotet scam email contains a Microsoft Word document or an Adobe .pdf attachment. It may have a malicious link in the body of the email. If the victim has macros enabled, the scam email installs Emotet onto their machines.
Coronavirus Email Scam
This email scam impersonates the United States Center for Disease Control (CDC) and virologists but is really a phishing email scam in disguise. The email attempts to scare recipients with news of a supposed infection in their area. It also provides information on safety measures to seem credible and increases the likelihood that the recipient opens the email.
A Coronavirus email scam was discovered in the wild as an email phishing attack by KnowBe4, Inc. This scam email is a bit different than the malware launcher version. According to Stu Sjouwerman at cyber security researcher firm KnowBe4, the email (Image 1) also attempts to impersonate the CDC and even includes some helpful virus prevention tips to increase its believability and the likelihood that the user clicks on the malicious link in the email body. If the recipient clicks on the link it leads them to a spoof website that is a credential phishing page.
Don’t Fall For Coronavirus Email Scams and Phishing Attacks.
Example Emotet Scam Email Subject Lines
- ACH Payment Info
- Payment Notification
- Transaction for your invoice
- Overdue payment
- Paid Invoices
- Sales Invoice
- Status update
- Document needed
- New Order
- Receipt for your invoice
How to Detect a Scam Email
Coronavirus scam emails may prompt you to check an updated map of the outbreak or even give you helpful virus-related information. Phishing emails may appear to originate from authorities, your local school system, the CDC, or World Health Organization (WHO). Phishing emails use scare tactic subject lines and content about supposed local infected people or keeping you and your family safe from the virus. The email might prompt you to open an attachment, click on a link, or even ask for donations to stop the spread of Coronavirus.
A scam email or spoofed website often contains grammatical errors. Although they may be designed to look just like legitimate emails from large corporations or charities, they often contain spelling or grammar errors common to someone who is writing in something other than their native language. For example, the phishing email discovered by KnowBe4, contains a grammatical error (“You are immediately advised to go through the cases above for safety hazard”) at the end of the last sentence in the body of the email.