Security teams urged to remain vigilant regarding possible threat campaigns tied to COVID-19 developments Image Credit: Seyyed Llata

Dubai: A cybersecurity and compliance major has warned against online attacks that leverage news around the COVID-19 vaccine, such as vaccine sign-ups, government approvals of the vaccine, logistics of vaccine deployment and distribution of the vaccine to frontline responders and other individuals.

Speaking to Gulf News, Emile Abou Saleh, regional director, Middle East & Africa at th cybersecurity company Proofpoint, said, “We anticipate COVID-19-related phishing lures will continue to be used through 2021 and we caution security teams to remain vigilant regarding future possible threat campaigns tied to COVID-19 developments, especially as the UAE ramps up its vaccination campaign.”

Phishing landing page with a red button asking users to “Login with offi...-1611579203012
Phishing landing page with a red button message for users Image Credit: Supplied

He said, “Threat actors worldwide have consistently tailored their phishing and Business Email Compromise (BEC) campaigns around the pandemic, tying them to the issue of the moment. Now we’re seeing emails capitalising on the vaccine news. In the majority of these cases, threat actors are adept at developing authentic looking messages that are relevant to users and consistent with current events. We expect vaccine signups, distribution centres and hospitals, vaccine brands and any changes to government policies to remain active phishing themes.”

Emile Abou Saleh

Given the hype around the COVID-19 vaccine topic, email-borne attacks spreading malware, phishing and Business Email Compromise (BEC) have come to the fore, exempliying abuse of brands such as WHO, DHL, and vaccine manufacturers delivered to users globally.

Security is the key amid remote working

According to Saleh, “It’s critical that security teams place people at the centre of their security strategy as remote working continues into 2021. Users truly are the last line of defense against social engineering and it’s important security awareness education provides a foundation to ensure everyone can identify a phishing email and easily report it. We also recommend layered defenses at the network edge, email gateway, in the cloud, and at the endpoint, while implementing email authentication protocols like DMARC and SPF to determine the validity of any emails sent from your domain.”

Below is a gist of the common click-baits:

‘Confirm the email to receive the vaccine’

According to Proofpoint researchers, threat actors began delivering messages on January 1, 2021, over four days, targeting dozens of different industries. The emails urged the potential victims to click a link to “confirm their email to receive the vaccine”. The goal of this phishing campaign was to steal Office 365 login credentials (email and password). The campaign capitalised on the recent vaccine approvals by governments and abused the brands of COVID-19 vaccine manufacturers as the lure.

‘Complete a task for me, before I leave for a COVID-19 vaccine meeting’

On January 11, Proofpoint researchers observed a BEC email campaign in which emails targeted various industries. The specific email only mentioned the COVID-19 vaccine meeting in passing; however, it added urgency—a common BEC technique—to the follow-up request: “Please give me your personal number?”. This attempts to increase the stress by giving the recipient less time to think about their response and allowing the attacker to pivot outside of a protected ecosystem.

‘COVID-19 approved new vaccines’

Agent Tesla abuses World Health Organization Brand-1611579192392

On January 12, 2020, Proofpoint discovered an email campaign containing an attachment which included an embedded executable file which, if run by the user, dropped and run the AgentTesla keylogger. This campaign had the subject, “COVID-19 APPROVED NEW VACCINES” in the email and abuse the World Health Organisation logo and name.

‘COVID-19 vaccine distribution- re-confirm delivery address’

On January 14, 2021, it was found that some emails urged potential victims to click a link to “go online to submit your correct address so we can deliver your package today”. The goal of this phishing campaign was to steal email login credentials (email address and password). While the email body content was typical for a package delivery service phish, the notable difference was in one of the subject variants. The subject “COVID-19 vaccine distribution- re-confirm your delivery address” implied to the recipient that the specific package is supposedly a COVID-19 vaccine.

‘COVID vaccine anticipation merger and acquisition’

From December 1 to December 15, 2020, Proofpoint observed a large Business Enterprise Compromise (BEC) campaign with thousands of emails spoofing executives and attempting to elicit the recipient’s support in a bogus merger and/or acquisition.

COVID Vaccine Anticipation Merger and Acquisition BEC-1611579193957

These emails targeted various personnel in roles such as vice-president, general manager and managing director and projected that COVID-19 vaccines would fuel the world’s economic recovery.