Hackers imitating CDC, WHO with coronavirus phishing emails

Cybercriminals are now using fears over the outbreak to steal email credentials, security officials say.

How sophisticated phishing grants attackers total control of your computer Phishing is all about the bad guy and fooling the victim, says Kevin Mitnick, founder, Mitnick Security Consulting. Mitnick knows about bad guys-he used to be one.

Last week, IBM and Kaspersky caught hackers in Japan trying to spread malware through emails with links about the coronavirus outbreak that started in Wuhan, China, in January.

Now, Kaspersky and Sophos have found phishing emails from cybercriminals purporting to be from the Centers for Disease Control and Prevention and the World Health Organization that are attempts to steal email credentials and other information. 

SEE: Coronavirus having major effect on tech industry beyond supply chain delays (free PDF) (TechRepublic)

In a blog post, Kaspersky researcher Maria Vergelis explained that they found phishing emails coming from "cdc-gov.org," instead of the CDC's real domain at cdc.gov, that claim to have vital information about the coronavirus.

"The letters claim that the CDC has 'established a management system to coordinate a domestic and international public health response' and urge recipients to open a page that allegedly contains information about new cases of infection around their city. The link appears to point to the legitimate CDC website: cdc.gov," Vergelis wrote. 

The link in the email takes you to a page that looks almost exactly like Microsoft Outlook and asks for users to enter their login information. But instead of taking you to another page, your information is passed on to hackers who will then use it to access your email account. 

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic Premium)

Bitcoin donation sought

Vergelis said they found another version of the email that asks for people to donate to the CDC with Bitcoin. These emails, coming from the fake "cdcgov.org," include appeals for donations to help find a cure for the coronavirus, even though the CDC does not take donations and definitely would not take Bitcoin payment.

In an email full of spelling mistakes, hackers also purported to be from the WHO, according to a blog post from Paul Ducklin, senior technologist at Sophos. The email, which has the official WHO logo, claims to have information on safety measures and asks victims to click a link that will take them to a page with more detailed suggestions for how to protect themselves against the coronavirus.

"The scam page itself is incredibly simple—it can't have taken the crooks more than a few minutes to put together—and visually effective. The fake page consists of the official, current home page of the World Health Organisation (WHO), with an unassuming popup form on top of it. It doesn't just look like the WHO's page in the background, it is the WHO's page, rendered in a frame that's embedded in the fake site," Ducklin wrote.

"You can see why someone who's nervous about the coronavirus issue, or who has friends and family in the main areas of infection, or who wants to do the right thing by learning more about preventing the spread of the disease might fill in the form, perhaps because they are feeling pressured by (or not thinking clearly because of) the subject matter." 

"Indeed, many companies have already sent emails to their staff to offer advice, so reading additional information that is allegedly from the WHO sounds like a sensible and responsible thing to do," he added.

Etay Maor, chief security officer at IntSights, said attacks like this will continue to happen as more people search for information about the virus.

"This is to be expected and I have little doubt it will stop. Social engineering and utilizing real world events for phishing and other cyber crime purposes has always been around. We saw this with other sad recent news like Kobe's death," he said, referring to Kobe Bryant.

"Whether it's tragedies, large sporting events like the Super Bowl or healthcare related events, scammers are not shy about using these for their advantage."

The Kaspersky blog post includes a number of recommendations for how people can protect themselves from these kinds of attacks. People should always check the email address of the sender, the URL of any links sent and the design of pages purporting to be email login portals.

Companies need to be proactive

Kowsik Guruswamy, CTO of Menlo Security, said this new campaign shows that companies have to be proactive about training employees how to spot these kinds of emails and attacks, which will become more prevalent especially with major news events like the coronavirus.

"This new campaign shows why existing security technologies will never be able to eliminate phishing attacks with malicious attachments. Attackers are leveraging a life or death situation to trick people into downloading malware. No AI or threat intelligence-based blacklist can ever stop this kind of attack," Guruswamy said.

Vergelis wrote that companies and regular people should expect to see many more emails like this as hackers realize how effective it is to exploit situations like coronavirus spread.

"The coronavirus as a topic is heating up among malefactors of various kinds, so expect to see other malicious campaigns using the deadly virus as bait. Recently we've seen spam campaigns selling masks, which some perceive as the first line of defense against the virus," Vergelis added.

Also see

Hacker using laptop

Image: Getty Images/iStockphoto