Scammers are Taking Advantages of Coronavirus Concerns

To take advantage of the current coronavirus panic, hackers have launched a new phishing campaign that targets global companies and sends emails via email indicating that the virus could disrupt the shipping operations. Researchers who study email security discovered a series of phishing attempts aimed at businesses, such as manufacturing, transportation, and finance, that are particularly vulnerable to a disruption in the trade because of the coronavirus. These messages usually have subject lines like “Coronavirus – Brief note for the shipping industry”.

The content of these malicious emails will lead recipients to download a Microsoft Word document promising more information. The hackers may be from Russia and Eastern Europe. They attached malicious Microsoft Word documents that can exploit  CVE-2017-11882 and activate information stealer AZORult to these emails. CVE-2017-11882 is a remote code execution flaw in Microsoft Equation Editor.

The coronavirus is a respiratory sickness that had taken more than 900 lives as reported by February 9th. Besides, approximately 40,000 people are infected. The widespread concerns about catching illness have upended the economic situation throughout Asia. According to health officials, the coronavirus is similar to the SARS and MERS viruses that provoked global responses in 2003 and 2012. For cybercriminals, this strategy is nothing new. From natural disasters to sudden geopolitical events, every popular topic can be abused by these scammers.

Here is an example to show what excuse cybercriminals use for attacking victims with phishing emails: Attackers would try to disguise their spam as an official alert issued by the Centers for Disease Control Health Alert Network. Then, they will inform the victim that the CDC has established an incident management system to coordinate domestic and foreign public health countermeasures. The attackers then convinced them to receive an updated list of newly infected cases around their city. As a result, the attacker collected and stole user credentials through a phishing page.


Contact LIFARS Immediately for Your Cybersecurity Mitigation Plans