A malicious campaign analyzed by email security provider INKY spoofs the US Federal Reserve with promises of a government payment for those affected by COVID-19.
Cybercriminals have been taking advantage of the coronavirus outbreak with malware campaigns designed to trick people who are curious or anxious about the disease. One common mode of attack is the phishing email, which often spoofs legitimate companies and government agencies. A specific campaign spotted by INKY attempts to ensnare people who've been hurt economically by COVID-19. These emails claim to offer help on getting government funds but instead lead recipients to a web page that tries to capture their banking credentials.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
In a Friday report entitled "Exploting a Pandemic: Coronavirus Stimulus Package Economic Impact Payments," INKY detailed the journey you would take if you fell for this particular scam. The initial phishing email claims to come from the Federal Reserve with a link promising payment under the Paycheck Protection Program, a real program from the Small Business Administration that provides loans to businesses impacted by COVID-19.
Clicking on the link takes you to a website with the domain name of economicimpactpayment.site, a name registered with Namecheap, a domain registrar known for its cheap prices. A button on the site proclaims: "Get Economic Impact Payment Now." Clicking on that button triggers a dropdown menu with the names of well-known banks, such as Wells Fargo, Chase, Bank of America, and Citizens Bank.
Choosing your particular bank brings up a page with the bank's actual logo prompting you to enter your account username and password. In response, the site tells you that you entered the wrong data. But behind the scenes, your banking credentials are now in the hands of the scammers.
The scammers used HTML and CSS in a professional way to design a convincing phishing site, according to INKY. The dropdown menu of the banks, the bank logos, and the bank login pages all look legitimate. The scammers even took the FAQ from the real Economic Impact Payments site. All of the time and effort required to create this site was done to increase the odds of reeling in unsuspecting victims.
In its analysis, INKY found that Microsoft's Office 365 Advanced Threat Protection (ATP) scans the initial phishing email and rewrites the link with safelinks.outlook.com to warn people about malicious URLs. But by itself, this may not be sufficient to prevent people from clicking on the link. As INKY points out, users would be better served if Microsoft ATP identified and blocked the email as a phishing attempt.
- The latest cancellations: How the coronavirus is disrupting tech conferences worldwide (TechRepublic)
- The tech pro's guide to video conferencing (TechRepublic download)
- Coronavirus domain names are the latest hacker trick (TechRepublic)
- COVID-19 demonstrates the need for disaster recovery and business continuity plans (TechRepublic Premium)
- As coronavirus spreads, here's what's been canceled or closed (CBS News)
- Coronavirus: Effective strategies and tools for remote work during a pandemic (ZDNet)
- How to track the coronavirus: Dashboard delivers real-time view of the deadly virus (ZDNet)
- Coronavirus and COVID-19: All your questions answered (CNET)
- Coronavirus: More must-read coverage (TechRepublic on Flipboard)