Majority of COVID phishing attacks coming from US IP addresses, report finds

An anti-phishing firm discovered that most of the malicious coronavirus emails were coming from the United States.

Scammers exploiting stimulus payments with phishing attacks and malicious domains

COVID-19 phishing emails have been bombarding inboxes since the virus began to spread in December and January. Cybercriminals have tried to push all kinds of scams to the masses using coronavirus-related topics, headers and organizations to get people to open malicious emails, files, or links. 
 
Complaints about phishing attacks have tripled since the concerns about COVID-19 became widespread, according to the FBI's Internet Crime Complaint Center.
 
Cybersecurity company INKY pored through the months of coronavirus-themed phishing emails and compiled a report on where most of them were coming from, finding that the majority of IP addresses found in email headers originated from the United States. 
 
Dave Baggett, CEO of INKY, acknowledged that these IP addresses might be easily spoofed by more skilled attackers but explained that there were a number of reasons most attackers would be in the US. 
 
"The majority of our users are American. Phishers prefer to target victims within their own geography because it's easier to research and impersonate since it's the same culture and language," he said in an email interview, adding that non-American attackers may also want to spoof a US origin to evade geographical filters.
 
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic Premium)

The report does an in-depth examination of 34 phishing email templates that the company has seen over the past few months in its work protecting clients. INKY researchers found that in addition to the majority of IP addresses being sourced from the US, 44% came from North America. Another 26% came from Europe and 18% from Asia, while most attacks involved malicious links or attachments.

The cybercriminals behind these attacks made an effort to impersonate as many different people or entities as possible. INKY caught emails purporting to come from government agencies like the CDC or WHO as well as major brands, insurance companies and even a person's employer.

"Scammers are creating campaigns relating to bonus reports, COVID-19 disaster relief, pandemic food distribution, office shut downs, FedEx packages, quarantine protocols, and even information from the World Health Organization (WHO) and the White House," Baggett wrote in a blog post about the report.

The report includes snapshots of dozens of emails that look real with accents to make them look legitimate. Some of the emails look like they contain legitimate information from government organizations about how people can protect themselves from COVID-19 while others look like financial payments for small businesses from the CARES Act.

One email includes legitimate information about a company's telework policies and others are filled with potentially useful information about COVID-19 that are signed by the White House and President Donald Trump.
 
Baggett noted that some of the most worrying new trends with phishing emails were those that came with real company logos, trademarks, copyrights, and HTML/CSS. The report includes multiple emails made to look almost identical to legitimate emails from insurance companies like Humana and Cigna asking people to click a link for more information about changes to their healthcare plans.

There are even emails made to look like they come from event speakers who had to cancel their  appearance because of the virus a well as others that come with voice messages attached and fake emails that look like they come from an employer's IT department.

"It is very easy to execute an attack of this nature. Anyone can use bitcoin to buy a cheap confusable domain and hosting to launch an attack. Some of the new trends are malicious HTM or HTML attachments that build credential harvesting sites on a victim's local network. Bad actors get stolen credentials directly emailed to them if the victim uses it. We have also observed dynamic algorithms that impersonate the recipient's domain in a phishing email," Baggett wrote. 

"In 2019, the IC3 received a total of 467,361 complaints with reported losses exceeding $3.5 billion and the main culprit driving these numbers was phishing.4 Imagine what 2020 will hold if the number of complaints is already tripling."

Baggett suggested everyone use verbal confirmation for any and all financial requests. People should avoid using links directly in emails and instead should type the link in a browser. "If a link has to be used, hover over it to ensure it's not misleading. Beware of unfamiliar attachments types like SLK, IMG, RAR," he added.

Also see

PHISHING Button on Computer Keyboard

Image: Getty Images/iStockphoto