Spurred on by the coronavirus pandemic, cybercriminals have been busy launching phishing attacks that impersonate organizations and other items associated with the virus. One group that’s been exploited in many of these campaigns is the World Health Organization, a tempting target as it’s been trying to manage and direct some of the global efforts toward combatting COVID-19. Spoofing the WHO, a new phishing campaign spotted by security provider Abnormal Security is trying to capture the email credentials of unsuspecting users.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic Premium)

In a blog post published Friday, Abnormal Security explained how this latest campaign works. The initial phishing email claims to be sent by the WHO with a sender’s address of support@who.international. Displaying the WHO’s familiar logo, the email states that the World Health Organization has sent you a message, inviting you to click a link for Open Message. The URL for this link is hidden behind the text, so users can’t clearly see it.

Image: Abnormal Security

Clicking the link takes the recipient to a landing page imitating the WHO home page. This page displays a login pop-up message asking people to sign in with their email address and password. Anyone who provides those credentials is then prompted to enter their phone number before being redirected to the actual WHO website. Of course, those sensitive pieces of information are then captured by the criminals behind this attack.

Image: Abnormal Security

The campaign capitalizes on the fear and anxiety over the coronavirus by promising the recipient details about the pandemic. So, it’s not hard to imagine how some people could fall for this scam. However, there are a couple of subtle but significant signs that the email and site are not legitimate.

SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)

The email is sent from the domain of who.international, but the WHO’s actual domain is who.int. Though the landing page looks genuine, the login pop-up seems out of place as it’s asking people to sign in with their email to “join the conversation.”

The login pop-up also brings up an interesting question. Exactly which credentials are the attackers seeking?

“This attack is targeted at people in general (we first saw it at one of our customers in the hospitality industry), and they appear to be trying to trick recipients into entering their real email credentials and phone number,” Ken Liao, vice president of cybersecurity strategy for Abnormal Security, told TechRepublic. “The attack doesn’t specify which email credentials, so we’re only making educated guesses at this point, but suspect that attackers have seen enough users enter that information to launch this attack as a campaign.”