'Hack for Hire' Groups Spoof WHO Emails to Steal DataGoogle: Hackers Using COVID-19 Phishing Themes to Target Businesses
"Hack-for-hire" groups operating in India are spoofing World Health Organization emails to steal credentials from employees at financial services, consulting and healthcare firms around the world, according to Google's Threat Analysis Group.
These spear-phishing emails, which use fake alerts about COVID-19 as a lure to get victims to click on malicious links, have been appearing the U.S., U.K., Slovenia, Canada, India, Bahrain and Cyprus, according to Google, which analyzed phishing emails and malicious messages sent during the first quarter of this year.
"The lures themselves encourage individuals to sign up for direct notifications from the WHO to stay informed of COVID-19 related announcements and link to attacker-hosted websites that bear a strong resemblance to the official WHO website," according Google.
The goal of the phishing campaigns is to lure victims to malicious domains that are designed to appear as legitimate login pages for various services. If targeted victims input their information into the login fields, hackers can collect their Google account credentials as well as other personal data, such as telephone numbers, according to Google.
The Google analysis did not provide details on whether these WHO-themed phishing attacks originating in India were ongoing, and whether they proved successful in stealing credentials. Google did not name any of the Indian groups working as hackers for hire or if these groups have ties to a specific government.
The company's researchers noted, however, that Google sent warnings to more than 1,700 user accounts that have been targeted by various government-backed hacking groups over the last month.
Phishing emails and malicious domains spoofing the WHO and other organizations have been a growing concern since the COVID-19 pandemic began (see: WHO Reports 'Dramatic' Increase in Cyberattacks).
The analysis also notes that Google has been tracking about 270 nation-state sponsored hacking groups across 50 countries that are known to target the company's users. Many of these groups are using COVID-19 as a lure for their attacks.
"Generally, 2020 has been dominated by COVID-19. The pandemic has taken center stage in people’s everyday lives, in the international news media, and in the world of government-backed hacking," says Shane Huntley, the head of the Google Threat Analysis Group.
For example, Google notes that it's continued to see a hacking group called Charming Kitten target healthcare organizations around the world. This advanced persistent threat group, which is also known as Phosphorous and APT35, reportedly has ties to the Iranian government (see: Microsoft: Iran-Backed Group Targeted a Presidential Campaign).
Earlier this month, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency, issued a warning about state-sponsored hacking groups targeting American research facilities working on COVID-19 testing and vaccines, pointing to China as the main culprit (see: US Says China-Linked Hackers Targeting COVID-19 Researchers).
In the past, individuals have been accused of working as hackers for hire for various nation-states and governments (see: Accused 'Hacker for Hire' for Russia Pleads Not Guilty).
Other Suspicious Activity
In addition to tracking phishing campaigns, the Google analysis notes that the company has been policing its own social media and other platforms to remove suspicious content.
Since March, for example, Google has removed more than a 1,000 YouTube channels that appears to have been working in a coordinated manner, according to the report.
"These channels were mostly uploading spammy, non-political content, but a small subset posted primarily Chinese-language political content," according to the Google analysis.
Managing Editor Scott Ferguson contributed to this report.