More than a dozen state-backed hacking groups are actively targeting U.S. Government employees and healthcare organizations in phishing campaigns that use lures designed to take advantage of the fears surrounding the COVID-19 pandemic.
“TAG has specifically identified over a dozen government-backed attacker groups using COVID-19 themes as lure for phishing and malware attempts—trying to get their targets to click malicious links and download files,” Google Threat Analysis Group’s Director Shane Huntley said in a blog post.
“Our security systems have detected examples ranging from fake solicitations for charities and NGOs, to messages that try to mimic employer communications to employees working from home, to websites posing as official government pages and public health agencies.”
Free fast food for passwords
Out of these ongoing attacks, TAG highlighted a phishing campaign that employed fast food lures to redirect targeted US govt employees to landing pages asking for their credentials.
“Some messages offered free meals and coupons in response to COVID-19, others suggested recipients visit sites disguised as online ordering and delivery options,” Huntley explained.
“Once people clicked on the emails, they were presented with phishing pages designed to trick them into providing their Google account credentials.”
These phishing attempts are most likely designed to exploit the fact that most people are now working from home and some of them lack the time needed to prepare their own meals. As it looks, exploiting the targets’ hunger is definitely a good enough trick even for government-sponsored hacking groups.
The domains used in this phishing campaign were blocked by Google’s Safe Browsing and most of them were directly delivered into the targeted people’s spam folder without ever reaching their inbox.
While TAG has no reason to believe that any of these attacks were successful, Google warned all of the affected users about being the target of government-backed attackers trying to steal their password.
TAG also observed COVID-19 themed phishing attacks attributed to the Charming Kitten (aka APT35 or Phosphorus) Iranian hacking group, as well as phishing attacks coordinated by the South American Packrat threat actor using a spoofed World Health Organization’s login page.
As a direct result of the increased risk of phishing attacks targeting individuals employed by government agencies and health organizations, Google proactively additional security protection including “higher thresholds for Google Account sign in and recovery” to over 50,000 such high-risk accounts.
State-sponsored hackers adapting to trends
“Generally, we’re not seeing an overall rise in phishing attacks by government-backed groups; this is just a change in tactics,” Huntley added. “In fact, we saw a slight decrease in overall volumes in March compared to January and February.”
“While it’s not unusual to see some fluctuations in these numbers, it could be that attackers, just like many other organizations, are experiencing productivity lags and issues due to global lockdowns and quarantine efforts.”
Last week, Google also revealed that Gmail’s built-in malware scanners have blocked around 18 million phishing and malware emails featuring COVID-19-themed lures within a single week.
Gmail Security PM Neil Kumaran said that Gmail successfully blocks more than 100 million phishing emails every day, as well as more than 240 million coronavirus-related spam messages on top of the 18 million pandemic-themed malicious messages.
According to Kumaran, Gmail’s ML models can detect enough of such phishing attacks that the inbuilt malware scanners automatically block over 99.9% of all spam, phishing, and malware sent to Gmail users.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and UK’s National Cyber Security Centre (NCSC) issued a joint alert about ongoing COVID-19 exploitation earlier this month.
Content Source: Read More