Fraudsters are using phishing campaigns to lure Americans to fake websites and entice them to hand over their banking credentials in return for a pandemic relief payment.
Proofpoint said it has tracked more than 300 such campaigns that feature spoofed or templated websites mimicking those of trusted sites such as the Center for Disease Control and Prevention, Federal Emergency Management Agency, IRS and the White House, as well as those of the World Health Organization and French and U.K. governments.
One example sent by researchers shows a website template for coronavirus financial help that promises to sign users up for their stimulus checks "with 1 click" and contains a drop-down menu to enter credentials for their chosen bank. Bizarrely, the site contains mimicked logos for the White House, the CDC and FEMA (though not the IRS, the agency charged with dispersing the checks), all on the same page.
The templates and emails number in the hundreds of thousands and were collected through internal research and Proofpoint's email security software. Proofpoint's Director of Threat Research and Detection Sherrod DeGrippo said the templates make up number of common phish kits that can allow scammers with little technical knowledge to carry out their operations at scale.
A common theme for almost all the campaigns was tapping into interest in the COVID-19 pandemic, and the actors adopted a general "spray and pray" strategy for victims, with little apparent focus on specific individuals or industries, according to DeGrippo. "They loaded up the spam cannons, shot them out there and hoped for the best," she said.
According to DeGrippo though, observed credential phish activity has not increased significantly during the pandemic, indicating that it is existing actors shifting their tactics rather than an increase in the overall threat ecosystem.
"Volumes of credential phish specifically haven't moved [over the past few months] in ways where we thought, 'Oh my gosh there's this huge volume increase,'" she said. "What we are seeing is that a threat actor might normally send a credential phish for banking details [and] the shift now is they're going to wrap that attempt … in a premise around COVID-19."
A longer version of this article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.