Spoofed Website Templates Help Spread COVID-19 Scams: ReportFake Websites Linked to Phishing Attacks Designed to Steal Credentials, Banking Data
Fraudsters are now using numerous spoofed website templates with COVID-19 themes as part of phishing attacks designed to steal login credentials and banking data, according to security firm Proofpoint.
See Also: Beware the Other Virus
Proofpoint discovered several ready-made website templates for sale on darknet forums that spoof legitimate websites from government and nongovernment organizations that are offering financial assistance or healthcare updates during the COVID-19 pandemic.
These templates, which use realistic-looking graphics, are designed to imitate the World Health Organization, the U.S. Centers for Disease Control and Prevention, the Internal Revenue Service, as well as government websites in the U.K., Canada and France, according to Proofpoint. The templates enable fraudsters to quickly create malicious domains to lure victims who have been sent phishing emails, according to the researchers. Of the more than 300 phishing attacks that Proofpoint has examined since January, nearly half were designed to steal either login credentials or banking information.
As more governments around the world offer stimulus payments and financial assistance to citizens and businesses, the lures have shifted, says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.
"The movement by governments in particular to offer financial support has caught the attention of threat actors who have moved not only to target those funds directly but to use them as themes for their phishing attacks," DeGrippo tells Information Security Media Group. "We expect these lures to continue to shift over time to match the latest developments around the virus."
How Templates Work
The spoofed website templates vary in complexity and design. For example, one designed to look like a World Health Organization website disguises a malicious domain that can steal usernames and passwords if entered in a login field, according to the report.
In another example, a template that imitates the official CDC website asks victims to authenticate their identity with their email password in order to "generate Vaccine ID," according to the report.
A template spoofing the IRS website, which contains multiple pages, displays a fake offer of financial aid as part of a COVID-19 relief program, according to Proofpoint. The site urges victims to click "continue," which then takes them to a form asking for sensitive personal information, including Social Security numbers, full names, dates of birth and postal codes.
A fake template of a Canadian government website has subtle differences from the legitimate site, the report notes.
"The malicious template correctly copies the name of Canada's revenue ministry in English and French, Canada Revenue Agency and Agence du revenu du Canada respectively. However, the layout, colors, and branding of the malicious template do not match that of the legitimate Canadian government website," Proofpoint researchers note.
Similar templates were found spoofing U.K. government websites.
The fake landing pages attached to pandemic-themed phishing campaigns were heavily deployed in March as countries around the world went into lockdown to stop the spread of the virus, Proofpoint notes. The use of these landing pages began to drop off in April, which could reflect a saturation point with fraudsters looking for new lures.
At the onset of the COVID-19 pandemic, phishing campaigns used lures that appeared to offer information on the virus. These were follow by phishing emails and malicious domains touting information on travel restrictions, potential cures and then work-from-home updates, DeGrippo says.
"We have seen campaigns themed around the shift to remote work over the past few weeks," he adds.
Earlier this month, Microsoft uncovered COVID-19 themed phishing campaigns with a fresh twist - hackers sending fake messages about business continuity plans and new payment procedures to spread the LokiBot information stealer (see: Fresh Twist for Pandemic-Related Phishing Campaigns).