A Closer Look at a COVID-19 Phish

Fresh Catch

As cybercriminals continue to exploit the COVID-19 pandemic, we’ve been on guard keeping watch for any phish that may get caught in our nets that look particularly interesting. This week, we caught some.

This phish arrived Tuesday morning around 1044 local time for the client. This particular phish did a fine job of pretending to be a health alert from a few different organizations apparently, including:

• Department of Health (they didn’t specify which one)
• National Contact Center
• National Center for Health Marketing
• Division of eHealth Marketing
• Centers for Disease control and Prevention

Additionally this message had a nice link in it that appeared to be leading to cdc.gov:

The Analysis

 However, a closer look at the source of this very simple yet alarming phish reveals something just isn’t quite right:

The text claiming to be the link to cdc.gov is actually a hyperlink leading to a page that redirects to an Outlook Web Access (OWA) themed phishing page.

Here’s a closer look at the coding in the email that shows a simple “a href=” is all it took for this message to weaponize the CDC’s website.

Once the user hit that link they would be redirected to a phishing page hosted at rc-hobbies[.]co[.]uk. This site had an especially interesting directory: /cdcgov/.

The OWA-themed landing page was nothing special, but given the severity of events at the moment, effective nonetheless.

Diamond Model: A Visualization of Findings

Further investigation of the attacker’s infrastructure found a number of email addresses indicating individuals associated with various financial and investment firms had been targeted by this campaign. Further digging also found a number of state, local, and federal .gov emails had all been targeted as well. The vast majority of these consisted of current and former staff with fiduciary responsibility. This diamond model helps us visualize the infrastructure, tactics, and targeting of this campaign from a broader standpoint:

Conclusion

This campaign, on top of our experience in some recent Business Email Compromise cases, tells us that financially motivated attackers are willing to play dirty and use the Coronavirus to target your finance personnel.

The old advice of “just don’t open attachments” doesn’t work anymore when attackers are using clever phishing pages from trusted sources with high-urgency themes.

PacketWatch has experience and capability providing security, investigations, and incident response and can help protect your organization from threats like these that abound, especially in our current environment.