The phishing emails led to malicious websites that used the same HTML and CSS found in actual White House sites, says email security provider INKY.
Phishing emails and their associated websites often impersonate well-known organizations, brands, businesses, and other familiar subjects to try to trap potential victims. They can spoof banks and financial establishments, hospitals and healthcare groups, and even one's own employer. A series of recent phishing emails examined by INKY targeted people curious or anxious about COVID-19 by impersonating the White House and some in the administration.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
In a report released Thursday entitled "Exploiting a Pandemic: White House COVID-19 Phishing Scams," INKY discussed two phishing campaigns that exploited the White House. Both were sent from email accounts hosted in Russia and were purportedly from the federal government and Donald Trump.
The first email claimed that the current coronavirus quarantine would last until August 2020 and said that the Treasury Department and the IRS have moved "Tax Day" from the usual April 15 to August 15. (The filing date has actually been moved to July 15.) This email contained a link to download the president's new coronavirus guidelines for America.
The second email was similar to the first by claiming that the quarantine would last until August. But this one suggested that the president announced more groundbreaking steps and urged recipients to click a link to read the associated document.
Beyond the incorrect revised date for Tax Day, the second email contained misspellings that can be common in spam. But unsuspecting users who didn't read the email closely enough might have taken the bait. In both cases, clicking on the link directed people to a hijacked Russian website with a Microsoft Word document containing macros that install malware. This hijacked domain was also used to send the phishing emails in the first place.
The malicious websites tried to reproduce the look and layout of actual White House sites by copying the HTML and CSS code. Though these sites have since been taken down, a new campaign has since surfaced with emails claiming to be from Mike Pence. These messages take a page out of the usual extortion scam with allegations that the recipient has committed some type of illegal activity. In this case, Pence promises not to tell the president as long as some kind of agreement can be reached.
As with the initial emails, these new messages that claim to be from Pence would probably be dismissed and even laughed at by the average person. But remember that scammers only need to score with a very tiny percentage of recipients in order to spread malware and make a profit.
- The latest cancellations: How the coronavirus is disrupting tech conferences worldwide (TechRepublic)
- The tech pro's guide to video conferencing (TechRepublic download)
- Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
- Coronavirus domain names are the latest hacker trick (TechRepublic Premium)
- As coronavirus spreads, here's what's been canceled or closed (CBS News)
- Coronavirus: Effective strategies and tools for remote work during a pandemic (ZDNet)
- How to track the coronavirus: Dashboard delivers real-time view of the deadly virus (ZDNet)
- Coronavirus and COVID-19: All your questions answered (CNET)
- Coronavirus: More must-read coverage (TechRepublic on Flipboard)