Days after President Donald Trump tested positive for the cOVID-19 virus infection, scammers began implementing the president’s phishing emails as a decoy, according to security corporations Proofpoint and KnowBe4.
See also: PKI Live Webinar as a Service: Finding benefits and deciding on a provider
Employees of several hundred organizations in the US have been able to do so. But it’s not the first time And Canada has already been attacked through phishing campaigns in what researchers see as an example of how scammers can temporarily rotate to take advantage of the news to their advantage.
Eric Howes, Senior Lab Researcher at KnowBe4, tells Information Security Media Group that scammers have little conversion of the subject for their phishing campaigns.
“The day after we discovered this e-mail crusade based on Trump’s diagnosis, consumers reported on a very similar crusade, of the same bad actors, which strictly referred to the issue of COVID. In addition, it is not unusual for malicious computers to cross multiple. or types of email simultaneously,” Howes says.
After Trump tested positive for COVID-19, cybersecurity researchers warned that scammers and cybercriminals would likely temporarily benefit from the scenario (see: Would the result of Trump’s COVID-19 control foreshadow cyber chaos?).
The phishing crusade discovered through Proofpoint was designed to spread malware, but KnowBe4 notes that its researchers were unable to accurately determine what scammers hoped to achieve in the phishing crusade it discovered.
According to the report, Proofpoint discovered that scammers tried to use phishing to compromise devices with malware that acts as a backdoor to launch other types of attacks.
“This crusade attempted to spread unknown malware through BazaLoader, a first-stage downloader that was first observed this year,” Sherrod DeGrippo, senior director of risk studies at Proofpoint, told ISMG. “Proofpoint studies have already observed that BazaLoader was distributed in high-volume email crusades through a risky actor primarily known for distributing TrickBot.
BazaLoader is a backdoor that allows an attacker to be patient and run more malicious modules, according to security researchers.
Proofpoint notes that the social engineering used in the existing crusade has led to the discovery of target organizations in the United States and Canada. Emails include links to landing pages hosted on Google Docs.
“Pages involve links to download an Excel sheet, whose macros, if activated, will download BazaLoader,” Proofpoint reports.
Phishing messages that are discovered through KnowBe4 are not connected to a site that spreads malicious content, probably due to a scammer error, according to the security company.
“Email gives potential [goals] an embedded link to a record in Google Docs and suggests that unintentional users will get a password record of some kind,” according to KnowBe4. “Registration in Google Docs, however, only provides a redirect to another record hosted on download2112. com, a domain created the same day we detected this phishing crusade (10/6/2020)”.
At the time the registry redirects to a Russian bitcoin site, KnowBe4 researchers do not know if it is the intended destination.
“Maybe there’s a password-protected record at some point that was later deleted,” says the KnowBe4 report.
Phishing emails were sent from a compromised email account and used thematic lines designed to pique interest in an update on President Trump in the report.
Some of the theme line topics used in phishing emails include:
Keep going”
Connect now
Complete your profile and update
Contact support
Connect now
Connect now
Our online site uses cookies. Cookies allow us to offer the most productive pleasure imaginable and help us perceive how visitors use our online page. By browsing the govinfosecurity. com, you agree to our use of cookies.