A trio of phishing reports is shedding light on the eclectic arsenal of techniques that cybercriminals have at their disposal, including using current events such as vaccine news to craft timely and urgent lures, as well as exploiting legitimate services and platforms, like Verizon’s multimedia messaging service and the UPS.com website.
Scammers pose as HR deptment seeking vaccine documents
Inky this week observed a spate of phishing activity this summer in which cyber criminals were pretending to be the HR department, asking email recipients to submit a COVID-19 vaccination form.
The pandemic has been a rich source of email lures from the beginning, especially because victims are more likely to click on a link or provide personal information when confronted with an urgent issue that sparks fear and uncertainty. The recent push by various government bodies to encourage vaccinations and mandating of vaccinations by corporate employers such as Google, Disney and Walmart are just the latest developments in the coronavirus saga that bad actors are seizing upon.
“I call it surfing the news cycle,” said Roger Kay, vice president of security strategy at Inky. “First it was: ‘COVID – is it dangerous or not?’ And then there was: 'Vaccines – are they dangerous or not?' It was policies for work at home, policies for returning to the office. So every, every turn of the screw, they have a new lure that they can put together. And that's part of how they camouflage the lures.”
Kay expects future phishing campaigns will continue the trend, exploiting other developments like the Lambda variant, booster shots, and back-to-school policies. “Since COVID, there’s been this deep-seated anxiety in the entire society that’s causing everyone disruption and so I think a lot of people are looking to do anything to assuage that anxiety. Like: ‘I need to fix this. Is there some concrete thing I can do to make my life less uncertain?’ And so, the answer is ‘Click this blue big blue button – it'll make you feel safe.’”
According to Inky, the perpetrators sent phishing emails from hijacked, legitimate external emails accounts. That way, the emails would pass standard email authentication protections such as SPF, DKIM and DMARC.
One sample fake HR email from this latest campaign stated, “We are learning of new and strict requirements from the County with regards to tracking Covid vaccinations. All employees are required to complete the Covid Vaccinations form and return it to HR as soon as possible.” The email also imposes a same-day deadline and floats the possibility of serious fines – a tactic designed to make you click the link before thinking it through.
But that link actually takes you to a website designed to look like a Microsoft Outlook web app login page so the cybercriminals can steal your username and password. A second form then asks for additional personal information.
In what Kay called a final “coup de grace,” the attackers then redirect victims to a COVID-19 vaccine form found on the government website for California’s Santa Clara County. It’s a final attempt to feign authenticity so that the victim “doesn't feel cognitive dissonance until later,” and the scammer “has more time, essentially, to escape out the side door without being discovered.”
“It’s frankly not necessary in this case – they already got your credentials – but it is kind of like putting the victim back to sleep,” he said.