Government-backed hackers are using COVID-19 as bait

Google has published their latest findings from their specialized team of security experts called Threat Analysis Group (TAG), who works to identify, report, and stop government-backed phishing and hacking. In the face of an unprecedented situation like Coronavirus (COVID-19), hackers and cyber criminals are targeting victims with fear and using emotions pleas for coronavirus help. A crisis situation like the COVID-19 is seen as an opportunity by hackers around the world.

Phishing attacks and scams are creating urgency by using COVID related themes to get people to respond. Google’s TAG has detected many examples ranging from websites posing as official government pages and public health agencies, to messages that try to mimic employer communications to employees working from home, to fake solicitations for charities and NGOs. Google has detected more than 240 million spam messages per day related to COVID-19 and 18 million COVID-related daily malware and phishing Gmail messages.

“In 1776, George Washington launched a surprise attack on a group of Hessian mercenaries on Christmas night. It helped turn the tide of the revolutionary war for the US, because the attack happened while the enemy was weak and distracted. As we hunker down and try to fight Coronavirus, we should expect cyberattacks to continue, and to be seen as more and more opportunistic. Those who wish to launch cyberattacks will not show mercy because of the situations that we are in, but rather this will be seen as an opportunity.”

Thomas Hatch, CTO and Co-Founder at SaltStack

How government-backed attackers are using COVID-19

There have been over 12 different government-backed attacker groups that have been identified by TAG. These groups are also trying to get their targets to click malicious links and download files using COVID-19 themes as bait. See the world map below that shows location of users targeted by government-backed COVID-19 related attacks.

Google has found multiple COVID-19 themes used for phishing and malware attempts. Accounts of U.S. government employees were targeted with COVID-19 messaging for American fast food franchises. The messages offered free meals and coupons in response to COVID-19, and some contained links to websites disguised as online ordering and delivery options. Once people clicked on the emails, they were presented with phishing pages designed to trick them into providing their account credentials Some attackers have also tried to trick people into downloading COVID-19 related reports that contain malware by impersonating health organizations like the WHO. TAG has found cyberwarfare groups such as Charming Kitten and a South American group known externally as Packrat, who has been linked to emails that lead the WHO workers to a fake World Health Organization’s login page.


Examples of different types of malware attacks including COVID-19 themes

  • Coronavirus tracking app that is ransomware: This app claims to provide Android users with coronavirus tracking. The users are offered to download the app and get alerts when someone near you is diagnosed with the virus. Even someone on “your street.” Sounds very tempting, doesn’t it? Once you download the app and provide various permissions, a ransom note pops up on the screen: “YOUR PHONE IS ENCRYPTED: YOU HAVE 48 HOURS TO PAY 100$ in BITCOIN OR EVERYTHING WILL BE ERASED.”
  • COVID-19 map infected with malware: Some hackers are trying to capitalize on the COVID-19 pandemic by offering a map that looks very similar to Johns Hopkins University’s interactive coronavirus (COVID-19) map but the only difference is that the map has been modified to include java-based malware
  • Phishing email targeting hospital staff with “corona virus awareness”: This one involves an email sent to medical professionals that contains a link to join a “mandatory” seminar on the coronvirus.

In order to warn users, Google has been sending warning messages to users that might have received such phishing or malware messages. Google says that, as the we continue to deal with the COVID-19 crisis, there will be more and more hacking schemes and lures. It is important that Our teams continue to track these and stop them before they reach people—and we’ll continue to share new and interesting findings.


Source: Google, Secureworldexpo