Share with your friends

While organised crime volumes remain broadly constant, there has been a shift to Covid-19 themed phishing campaigns and fraudulent websites as organised crime groups seek to monetise the fear, uncertainty and doubt many people feel during the pandemic.

Financial Scams

A wide range of COVID-19 related financial scams are in progress:

— Spear phishing campaign targeting small Indian banks, with emails impersonating the Reserve Bank of India (RBI) claiming to give details about the new RBI guidelines in a zip file delivering the Adwind RAT instead, Seqrite reports.

— US Secret Service has warned of a Nigerian crime ring exploiting the US state unemployment insurance programs, with attackers filing unemployment claims with personally identifiable information (PII) and Social Security numbers in different states like Washington, North Carolina and Florida, KrebsOnSecurity reports.

— 238% increase in cyberattacks against the financial sector from February to April 2020, amid the COVID-19 surge, VMware Carbon Black reports.

— ATM giant Diebold Nixdorf suffered a ransomware attack (ProLock) that disrupted some of its corporate operations, KrebsOnSecurity reports.


Organised crime groups have been building out attack infrastructure to affect corporations:

— IBM X-Force Research has seen a significant number of new malicious COVID-19 related domains appear since February 2020 with exponential growth between February and March 2020, Security Intelligence reports.

— Various European academic supercomputers came under cyberattack with compromised SSH credentials. The supercomputers are research resources for computational biologists and used for modeling the potential spread of COVID-19, Bleeping Computer reports.

Conferencing Platforms

While attacks still involve phishing linked to the delivery of malware, a range of other exploitation techniques are being attempted targeting the use of conferencing platforms:

— Launch of Facebook’s Messenger Rooms, a video calling service, rivaling  Zoom, supporting up to 50 people in a private room, ZDNet reports.

Phishing and Malware

Extensive COVID-19 themed phishing campaigns are underway with cyber criminals exploiting health organisations, government agencies, individuals, enterprises and their IT infrastructure:

— Two phishing campaigns exploiting concerns about the COVID-19, containing ARJ attachments disguised as PDF files to deliver the LokiBot info-stealer Trojan, Bleeping Computer reports.

— Over the last week, mailboxes protected by Secure Email Gateways (SEGs) contained several coronavirus-themed messages, with attackers targeting to get user’s credentials posing as public health agencies and banks, Cofense reports.

— Phishing campaign coming from the US Department of Treasury addressing payment for a fake government contract was not made, with an attached zip file containing a previously undetected malware, QNodeService, stealing credentials and executing files, Bleeping Computer reports.

— Scammers on Twitter are informing individuals they can determine if their credentials have been exposed online, requesting payment before searching, Phish Labs report.

— Magellan Health, a U.S. healthcare insurance company, was hit with a ransomware attack and a data breach, with the attacker gaining access to their system via a phishing email impersonating a Magellan client, Threat Post reports.

— Indian Computer Emergency Response Team (CERT-IN) is warning against phishing attacks in the name of Aarogya Setu contact tracing app as well as video conferencing platforms, Financial Express reports.

Broadcom researchers have observed a shift from COVID-19 related phishing campaigns to more text-based campaigns, relying on tricking users into revealing personal information in written content instead of attachments in the email.

— FBI has issued a warning about the decryptor for the ProLock ransomware being faulty and not working, where files greater than 64MB may be corrupted in the decryption process. The ransomware targets multiple American entities like healthcare, finance and retail, Bleeping Computer reports.

Mobile Malware

Mobile devices are not immune from COVID-19 themed attacks:

— API endpoints appear to be targeted by malicious actors more than usual following lockdown measures across the world, with one attack seeing 15 million events aimed at a single API endpoint for the Android app, Cequence Security reports.

— Secret documents related to the UK’s NHS coronavirus tracking app hosted in Google Drive could be accessed by anyone with a link. The documents contain privacy protection information and further plans the app could take, WIRED reports.

— Over 6,400 Edison Mail users are hit by a security bug that allows others to access your account in an update rolled out on its iOS app, Security Week reports.

Bitdefender researchers have discovered four versions of a malicious Android app called ‘COVID’, targeting Algerian users, stealing personal data like contacts, call logs and more.

Broader threat landscape

— Two UK emergency coronavirus hospital building contractors, Interserve and Bam Construct, were targeted in two separate cyberattacks, BBC reports.

Microsoft Threat Intelligence has made the threat intelligence it has collected on coronavirus-related hacking public, which includes 283 threat indicators.

— COVID-19 related cyberattacks in India have soared 86% in the four weeks between March and April, with lures including fake portals for coronavirus funds and state sponsored ransomware and phishing attacks, Forbes reports.


Checkpoint researchers have identified a means of bypassing a patch Microsoft issued for a known RDP remote code execution vulnerability, CVE-2019-0887. Researchers identified any path canonicalisation check could be bypassed.

— Critical vulnerability in the WP Product Review Life, a WordPress plugin that helps create custom review articles using templates, which can lead to malicious code injection and take-over, Bleeping Computer reports.

— Post-authentication remote code-execution vulnerability in Symantec Secure Web Gateways being exploited as part of new Mirai and Hoaxcalls botnet attacks, Threat Post reports.

— FBI warning against a vulnerability CVE-2017-7391, a cross-site scripting (XSS) bug that allows the attacker to plant malicious code, exploited in web skimming to steal payment card details, ZDNet reports.

Cybersecurity and Infrastructure Agency (CISA) and the FBI have issued the top ten most exploited vulnerabilities from 2016-2019 which include:

  • CVE-2017-11882- Microsoft Office Memory Corruption Vulnerability, allowing an attacker to run arbitrary code in the context of the current user by failing to handle objects in memory properly.
  • CVE-2017-0199- Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API, allowing remote attackers to execute arbitrary code via a crafted document.
  • CVE-2017-5638- Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before has incorrect exception handling and error-message generation, allowing remote attackers to execute arbitrary commands.

Other Observations

Data Breaches

— Data breach of UK budget airline easyJet affecting 9 million of its customers’ email addresses and travel details along with 2,208 credit-card details, ZDNet reports.


The FBI and Cybersecurity and Infrastructure Agency (CISA) have issued a warning that threat actors are targeting coronavirus related research, with targets operating in healthcare, pharmaceutical and research sectors.

— Two intelligence reports issued by the US Department of Homeland Security (DHS) and another by the DHS, FBI, and National Counterterrorism Centre, warn of attacks against 5G networks, fueled by conspiracy theories linking the coronavirus to 5G technology, ABC News reports.

Law and Order

— Law enforcement in Romania arrested a group of individuals planning to attack healthcare institutions in the country, with the group having access to file-encrypting malware, RATs and tools for SQL injection, Bleeping Computer reports.

Related links