Share with your friends

While organised crime volumes remain broadly constant, there has been a shift to Covid-19 themed phishing campaigns and fraudulent websites as organised crime groups seek to monetise the fear, uncertainty and doubt many people feel during the pandemic.

Financial Scams

A wide range of COVID-19 related financial scams are in progress:

— Threat actors are exchanging US taxpayer’s data on underground forums to claim coronavirus-relief stimulus checks and income tax refunds, with some actors discussing to partner up for further frauds, Secureworks reports.

— Resurgence of the Zeus Sphinx banking trojan, with version updates and core modifications with coronavirus as a theme, increasing its potency and persistence in targeting North American banks by harvesting credentials from online banking sessions, Security Intelligence reports.

— Grandoreiro malware targeting banks in Spain using COVID-19 themed videos tricking users to run a concealed executable, infecting devices with a remote-access tool to empty their bank accounts, Security Intelligence reports.

— A new version of Lampion trojan is being distributed via email, with lures containing fake telco invoices, fake invoices of bank transactions and emergency funds from the Portuguese government, Seguranca Informatica reports.


Organised crime groups have been building out attack infrastructure to affect corporations: 

— Her Majesty’s Revenue and Customs (HMRC) has asked ISPs to remove 292 scam websites exploiting COVID-19 outbreak, Info Security reports.

— 300 coronavirus-themed malware samples were communicating with 20 suspicious domains. Between March 1 and April 7, 2020, these 20 domains made 453,074 unique network connections across 27 unique cloud environments, Unit 42 reports.

— An anonymous hacker has released a code that allows individuals to submit junk data to the Ohio state’s ‘COVID-19 fraud’ site. The circulated script makes it harder for submissions to be investigated, Vice reports.

Phishing and Malware

Broader phishing and malware campaigns continue to exploit COVID-19 themed lures for credential theft, ransomware and business email compromise (BEC):

— Australian global logistics firm Toll Group confirmed it was hit with the ransomware variant Nefilim, which uses AES-128 encryption to lock files and blackmail payments made via email, ZDNet reports.

— Increase in the phishing attempts via email and social media on young Finnish adults during the epidemic, with one-fifth of participants in a study reporting they had been victims of identity theft, YLE reports.

— IBM X-Force observed a new phishing campaign that pretends to come from the ‘Center for Disease Control’ with an attachment containing information about WHO’s business continuity plan but delivers the Lokibot trojan instead. 

— Coronavirus-themed attacks, with emails pretending to come from senior administrators requesting payroll updates and from the CEO of a global financial company asking the victim for company secrets, PhishLabs reports.

— Money mule scams with phishing emails targeted at laid-off Canadian and American workers, providing them the opportunity to work from home for $5000 per month, PhishLabs reports.

— Users of DocuSign on Office 365 have received a phishing email purporting to be an automated message from DocuSign carrying a link to a COVID-related document, which redirects to a fake DocuSign login page to steal credentials, Abnormal Security reports.

— McAfee researchers have detailed the different types of malware prevalent during the pandemic, surveying different lures for employees and family members to deliver malware like Emotet and Remcos RAT.

— Nigerian BEC group SilverTerrier has engaged in various coronavirus-themed phishing campaigns with emails including malicious Microsoft Office attachments, which download malicious executables once opened, Unit 42 reports.

— A low-quality spam campaign containing an attachment referencing a COVID-19 SMSM template to spread Ave Maria (Warzone RAT). It appears to execute only on Windows 7, IBM X-Force reports.

— A range of different malware used in a variety of coronavirus-themed attacks has been found to be a type of infostealer, including Lokibot, Agent Tesla and more, Lastline reports.


Healthcare is a growing target for cybercrime activity, with organisations involved in research into COVID-19 being at heightened risk:

— Europe’s largest private hospital operator hit by ransomware attack using a variant called Snake, disrupting operations globally, KrebsOnSecurity reports.

— US FBI issued a state espionage warning against US research institutions to steal intellectual property related to drug and vaccine development.

— Iranian linked hackers targeted a major US drugmaker with a fake email login page sent to a top executive to steal passwords, Reuters reports.

Conferencing Platforms

While attacks still involve phishing linked to the delivery of malware, a range of other exploitation techniques are being attempted targeting the use of conferencing platforms:

— Attackers are targeting video conference users by impersonating an email notification from the provider stating the user has missed a scheduled meeting and asks to click a link which redirects to a fake Microsoft login page to steal credentials, Abnormal Security reports.

Mobile Malware

Mobile devices are not immune from COVID-19 themed attacks:

— A security researcher has identified privacy issues in India’s coronavirus tracing app Aarogya Setu, allowing individuals to see the health status of other users.

— The hack of 3.5 million credentials of a social media app has opened the compromised users to spear-phishing and targeted extortion. In the case of credential reuse, threat actors may have access to more valuable accounts like banking, Threat Post reports.


— Two vulnerabilities (CVE-2020-9315 and CVE-2020-9314) in Oracle’s iPlanet Web Server that can lead to sensitive data exposure and image injections onto webpages will not receive patches, Threat Post reports.

— Multiple vulnerabilities in Accusoft ImageGear, an image processing software, with one being able to execute remote code on a victim’s machine, Cisco Talos reports.

— Citrix has issued a security update for multiple vulnerabilities in their ShareFile storage system, with successful exploitation leading to unauthorised access to user’s files.

— Threat Post reports Microsoft has released fixes for 111 security vulnerabilities in May’s patch update, with 56 fixes being elevation-of-privilege (EoP) bugs. Patches include:
    - CVE-2020-1056: Critical Microsoft Edge EoP bug, allowing the attacker to access information from one domain and inject it into another. 
    - CVE-2020-1135: Windows Graphics Component EoP bug, allowing the attacker to steal credentials or execute malicious code.
    - CVE-2020-1054, CVE-2020-1143: Two flaws in Win32k exist when the Windows kernel-mode driver fails to handle memory objects, allowing the attacker to run arbitrary code in kernel mode.

Broader Threat Landscape

— 46% of global businesses have encountered at least one cybersecurity ‘scare’ since shifting to remote working and 49% of respondents anticipate suffering a security incident in the next month, Barracuda reports.

— Online child abuse reports in April surpassed 4 million as children spend more time on social and gaming platforms due to COVID-19 lockdowns, with child traffickers evolving their operating models in the pandemic, Forbes reports.

— Browser extensions installed by consumers to scan available time slots for grocery delivery, often perform a malicious activity like harvesting personal information and logging keystrokes without the user’s knowledge, Dark Reading reports.

Other Observations

Data breaches

— The hacking group Shiny Hunters have claimed they have broken into Microsoft’s GitHub account, stolen 500GB of data and leaked it on a hacker forum, ThreatPost reports.

— A database containing 21,909,707 user records of India’s largest online education platform UnAcademy, were being sold online for $2000. The exposed data includes usernames, passwords, email addresses and account status, Cyble researchers report.

— The hacker group Shiny Hunters is flooding the dark web with databases containing stolen data with 73.2 million user records from 11 companies for sale, Bleeping Computer reports.

Law and order

— The U.S. Federal Trade Commission (FTC) reports the warning letters sent to perpetrators of COVID-19 related scams have stopped the false claims and sales of unproven coronavirus treatments in nearly all cases. 

— The Texas court system was hit with a ransomware attack on the night of May 8, with the network being disabled to limit the further spread, Bleeping Computer reports.


— The Jerusalem Post reports with healthcare being the top target for cyberattacks, Israel is launching a ‘Cyber Defense Shield’, in coordination with cybersecurity firm FireEye, to provide real-time protection from attacks.

— The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre (NCSC) have issued a joint alert on hackers actively targeting healthcare and pharmaceutical industries and APT actors probing for COVID-19 intellectual property.

— INTERPOL has launched a global awareness campaign on COVID-19 cyber threats with social media outreach to promote good cyber hygiene.

Related links