How vaccine-related phishing attacks are posing a greater threat to organizations

Scammers are launching more malicious campaigns designed to take advantage of the anxiety and confusion over the COVID-19 vaccines.

covid-19-vaccine-shot-distribution.jpg

Image: iStock

The rollout of coronavirus vaccines around the world is certainly welcome news following a year grappling with the deadly pandemic. But vaccine deployment has encountered bumps in the road as many people are still uncertain over when, where and how to get their shots. That confusion has been ripe for exploitation by cybercriminals, triggering an increase in related phishing scams, according to Check Point Research and Barracuda Networks.

SEE: COVID-19 workplace policy (TechRepublic Premium)

In a blog post published last week, Check Point revealed an increase in the number of domains with the word "vaccine" in their titles. Over the past four months, the volume of new vaccine-related domains shot up by 7,056, of which 294 have been deemed potentially dangerous by Check Point.

Pointing to one example, Check Point said it recently discovered a malicious website impersonating the U.S. Centers for Disease Control and Prevention and promising vaccine information. To get the alleged information, visitors are asked to enter their Microsoft credentials, which the attackers naturally capture.

A report released last Thursday by security provider Imperva found that traffic from bad bots on healthcare websites has increased at a time when countries are expanding their vaccine rollout and making appointments for more people. Such traffic has skyrocketed by 372% around the world since September 2020 and jumped by almost 50% in February.

Bad bot traffic has real-world implications in more ways than one. These bots chew up server resources, making it more difficult for people to set up appointments on vaccine websites. Bots will sometimes reserve appointments while people are waiting in a virtual queue to get their chance. Vaccine sites in various states have even crashed, with a large amount of that traffic potentially coming from bots.

In a post published last Thursday, Barracuda Networks found that cybercriminals are leveraging the vaccines in targeted spear-phishing attacks, which are aimed at specific people or roles within an organization. After Pfizer and Moderna announced the availability of their vaccines in November 2020, vaccine-related spear-phishing attacks rose by 12% from the prior month. By the end of January, that percentage had increased by 26% since October.

Barracuda researchers uncovered two types of vaccine-related spear-phishing attacks: 1) brand impersonation and 2) business email compromise.

With brand impersonation, the phishing emails spoof a well-known brand or organization. In one example, the emails include links to a website touting early access to vaccines. But the early access is promised only in exchange for payment, a significant scam as the actual COVID-19 vaccines are freely available. In another example, the emails impersonate health care professionals who request personal information to check the recipient's eligibility for a vaccine.

With a business email compromise, the email senders typically masquerade as employees or external partners. In one case, Barracuda said it spotted cybercriminals impersonating employees who asked for an urgent favor while getting a vaccine. In another, the criminals spoofed an HR specialist claiming that the organization has secured vaccines for their employees.

After an attacker gains access to a victim's credentials, they can easily take over the person's account. Skilled hackers will often conduct reconnaissance before launching targeted attacks. They also use legitimate accounts to send mass phishing and spam campaigns to as many people as possible before their activity is detected.

To help protect your organization from vaccine-related phishing scams, Barracuda offers the following four tips:

  1. Take advantage of artificial intelligence. Scammers are adapting email tactics to bypass gateways and spam filters, so it's critical to have a solution that detects and protects against spear-phishing attacks, including brand impersonation, business email compromise and email account takeover. Deploy purpose-built technology that doesn't rely solely on looking for malicious links or attachments. Using machine learning to analyze normal communication patterns within your organization allows your security technology to spot anomalies that may indicate an attack.
  2. Deploy account-takeover protection. Don't just focus on external email messages. Some of the most devastating and successful spear-phishing attacks originate from compromised internal accounts. Be sure scammers aren't using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.
  3. Train staffers to recognize and report attacks. Educate your users about spear-phishing attacks. Provide employees with up-to-date user awareness training about vaccine-related phishing, seasonal scams, and other potential threats. Ensure staffers can recognize the latest attacks and know how to report them to IT right away. Use phishing simulation for email, voicemail and SMS to train users to identify cyberattacks, test the effectiveness of your training and evaluate the most vulnerable users.
  4. Set up strong internal policies to prevent fraud. Establish and regularly review existing policies to ensure that personal and financial information is handled properly. Help employees avoid costly mistakes by creating guidelines and putting procedures in place to confirm all email requests for wire transfers and payment changes. Require in-person or telephone confirmation and/or approval from multiple people for all financial transactions.

Editor's note: This article has been updated with information from Imperva.

Also see

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.