In late May, CNN reported that more than 40 million Americans claimed unemployment benefits for the first time since the coronavirus pandemic put the US economy on hold in March. In fact, one in four Americans applied for unemployment benefits during the pandemic. It is the highest unemployment rate the country has experienced in its history, even exceeding figures from the Great Depression in the 1930s.
We previously reported that due to high unemployment rates, people were becoming vulnerable to scams and phishing attacks involving financial assistance. We found that in May, 250 new domains containing the word “employment” were registered. 7% of these domains were considered malicious, and 9% were suspicious.
Under cover of CV and work stoppage forms
We’ve seen an increase in CV-based campaigns in the United States, and their proportion, compared to all of the malware identified, has doubled in the past two months. One in 450 malicious files is a CV-themed scam.
We recently discovered a malicious campaign using Zloader malware to steal victim IDs and other private information. The Zloader banking Trojan is a variant of the infamous Zeus malware, which is targeted specifically at customers of financial institutions.
Malicious .xls files with file names indicating that they are personal CVs have been sent by email with subjects such as “applying for a position” or “about a job”. When opening the attached file, a message invites victims to “activate the content” (see image above). When they do, a malicious macro downloads the final malware. Once a device is infected, hackers can use malware to perform financial transactions on the device.
In the UK and Romania, some companies have received an email like this:
The emails had the subject of “CV of China” and contained an ISO file (CV.iso), installing a malicious EXE file (CV.exe) which in turn launched malicious software to steal information on the computer of the ‘user.
Campaigns that use CVs as an attack vector are not the only ones. We also discovered a campaign using sick leave forms installing the Icedid malware, a banking Trojan that steals user financial data.
Malicious documents with names such as “COVID-19 FLMA CENTER.doc” were emailed with subjects such as “Here is a new leave request form under the Family and Medical Leave Act (FMLA) ) ”. The emails were sent from different domains such as “medical-center.space” to trick victims into opening malicious attachments.
A similar campaign installed Trickbot, a popular and constantly updated banking Trojan with new features and delivery vectors, which allows it to be flexible and customizable enough to run as part of a multi-purpose campaign. In this campaign, which also deals with FMLA legislation, emails are sent from domains such as “covid-agency.space”.
Malware attacks escalate as businesses resume operations
We previously reported that while the number of coronavirus attacks increased, the total number of cyber attacks decreased overall. In March, when the pandemic was at its peak, we saw a 30% decrease in malware attacks compared to January 2020. Indeed, many countries were quarantined and most companies and other organizations have were closed as a result, which significantly reduced the number of potential targets for cybercriminals.
Now that the pandemic seems to be going down thanks to quarantine measures, the deconfinement has started and the businesses are working again. But guess what? Cybercriminals are also starting to escalate their malicious activity. In May, we saw a 16% increase in cyberattacks from March to April, when the coronavirus epidemic was at its peak. This is largely due to the increase in malware attacks.
Coronavirus attacks continue
In May, we saw an average of more than 158,000 coronavirus attacks each week. Compared to April, this is a decrease of 7%.
New registered domains related to coronavirus:
In the past four weeks, almost 10,704 new coronavirus-related domains have been registered. 2.5% of these domains are malicious (256) and 16% are suspicious (1,744).
The graph represents all the data detected by Check Point’s threat prevention technologies on networks, workstations and mobile devices, stored and analyzed in ThreatCloud, the most powerful threat intelligence database in the world. world.
To protect himself
To stay protected from these opportunistic attacks, follow these golden rules:
1. Be wary of look-alike domain names, misspellings in emails and websites, and unknown email senders.
2. Beware of files received by email from unknown senders, especially if they prompt you to take some action that you would not usually do.
3. Verify that you are shopping from an authentic source. DO NOT click directly on promotion links in emails. Instead, find the desired retailer on Google, and click the link on the Google results page.
4. Beware of “special” offers. “An exclusive remedy for the coronavirus for 150 euros” is generally not a reliable or trustworthy purchase opportunity. Currently, there is no cure for the coronavirus and even if there was one, it would certainly not be available to you by email.
5. Be careful not to reuse the same passwords between different apps and different accounts.
Businesses should combat zero-day attacks with a complete end-to-end cyber architecture, capable of blocking phishing sites and providing real-time alerts on password reuse. Check Point Infinity is effective because it combines two essential ingredients: total convergence on all attack surfaces and all attack vectors, and advanced prevention capable of combating phishing attacks and taking control of accounts. more sophisticated.