Threat Actors Using Omicron COVID-19 Phishing Lures

Threat Actors Using Omicron COVID-19 Phishing Lures

Over the last few weeks, threat actors have been launching phishing scams which leverage people’s fears and anxieties over the Omicron COVID-19 variant. The scams either inject the Dridex banking malware into a victim’s computer or other malware that collects passwords, credentials, and personal or financial data. Informing all employees about the threat is the only way to keep systems free from infection.

What happened?

The CYREBRO threat intelligence team has detected multiple threat clusters, all tied to the highly contagious Omicron variant of COVID-19. The scams are delivered through phishing emails with infected links or attachments. Some scams collect sensitive information like credit card or bank accounts, passwords, or other credentials, while others deliver Dridex malware, a banking trojan which is a form of malware that specializes in stealing bank credentials. Reports show that business emails, private emails, and university student emails are all being targeted.

How is it happening?

In one version of the scam, threat actors send a phishing email with the subject line “COVID-19 testing results.” The email informs the recipient that they have been exposed to an infected coworker. It instructs the victim to open an attached file and enter a given password to know more about their risk. Victims are then shown a blurry document and prompted to click “Enable Content’ which enables the macros, infecting the system. The malware contains a keylogger, providing threat actors access to any password or information the user enters on any site. To make this scam more painful to victims, hackers top it off with a sick joke, showing the victim a phone number for a COVID funeral helpline to imply they will die.

In another version of the scam, hackers impersonating a national health organization offer victims a free Omicron PCR test. When victims click the button or link, they are redirected to a fake website and prompted to enter their personal information, including birthdate, address, email address, and phone number. They are asked to pay a nominal fee (£1.24 or $1.65) to cover shipping, but that is a disguise to capture the victim’s payment details which can then be exploited.

Another COVID-related campaign is far more dangerous for businesses as the hacker’s objective is to steal multi-factor authentication (MFA) credentials by spoofing popular MFA applications. With MFA tokens at their fingertips, threat actors can bypass security, posing severe damage to business environments.

A smaller scam is targeting university students using TTPs and multiple delivery methods. Hackers collect university email login information and use those compromised accounts to appear legitimate when sending more threats to other universities.

What are the effects?

If Dridex malware enters a system through malicious code, it can steal sensitive bank account information or banking credentials, giving the hackers financial access. At a bank, the malware can also target the institution’s customers. At an office, the keylogger can collect every personal and system password, giving hackers the ability to compromise every aspect of the company, from its financial accounts to its databases or any other sensitive information.

Victims who have had their banking or credit card info stolen can be financially impacted and may not realize their account was compromised. With all the victim’s personal details, hackers can open new accounts under their names, ruin their credit and steal their identity, all of which can take months to repair and is nearly impossible to prosecute.

What is being done about it?

Government agencies and cybersecurity companies are doing their best to warn businesses, universities, and private citizens about all of the Omicron scams. Unfortunately, not much more can be done beyond making people aware. As of now, there are so many hackers using versions of the scam, it’s impossible to contain it or to track down all of the threat actor groups.

What measures are being taken to prevent this in the future?

Phishing scams have been lucrative for threat actors for years now. There is no sign that they will ever stop as long as the scam continues to be profitable, either in terms of money or business data.

Currently, governments and security companies are attempting to inform the general public in any way they can, through news channels, blogs, and governmental sites.

Other than informing people as to how to avoid these specific scams, not much can be done to combat the Omicron phishing attempts.

As these types of attacks become more prevalent, employee awareness and cybersecurity training become a growing focus for companies to remain protected.

CYREBRO Threat Intelligence Team Recommendations

Having your guard up 24/7 and suspecting every message you get is both unnecessary and unreasonable. Finding the right balance is key.

As stated by CYREBROs Threat Intelligence Team Leader, Yael Spindel: 

For starters, what you can do is be sensitive to certain messages, like those concerning any global or national news, like COVID-related subjects, where you receive a link, even to familiar-looking sites, or messages that request you fill in personal information.

Avoid providing financial information or credit card details when you are not the one who initiated the need to provide them. If you think the sender is legitimate, simply contact them through another channel or platform to verify the request”.

Most importantly, employees need to be constantly trained to identify the components of suspicious emails, including looking closely at the sender’s email address, URL link, attached files, and even elements as simple as company logos. Every business should have a straightforward and well-known procedure for reporting a potential scam to security teams.

Sign Up for Updates