COVID-19 Cyber Threats

Medium

The State of North Dakota encourages using caution when researching COVID-19 information online. Malicious actors are trying to take advantage of COVID-19 for monetary gain and/or to intentionally mislead the public.

This webpage is specifically focused on spreading awareness of phishing emails and malicious threats.

Medium

COVID-19 Phishing Threats

The following COVID-19 phishing threats are circulating widely.​

Medium
WHO Phishing

Threat Statement/Description

Criminals are disguising themselves as World Health Organization members and tricking people via text, email and phone calls to click a malicious link, open a malicious file and/or share usernames and passwords.

Action/Guidance

  1. Do not click links or open attachments from an unsolicited WHO email
COVID-19 -CovdLock

Threat Statement/Description

 

CovidLock is a malicious Android application that claims to provide access to a map that will provide real-time vrius-tracking and information, including heatmap visuals and statistics. In fact, a researcher from DomainTools said, the app is laced with ransomware.

Action/Guidance

  1. Do Not download, install and run CovidLock Android App
  2. Do not click any links received via e-mail and/or text messages about CovidLock Android App, or any COVID-19 Android mobile application
  3. We recommend using legitimate and validated websites and sources (e.g., CDC, North Dakota Department of Health) to follow and track up to date news and information around COVID-19
Employer, or University COVID-19 Phishing Attacks

Threat Statement/Description

An increase in various phishing attacks aiming to take advantage of employees and school students (K-12 and University). Email purpot to come from employers and targets people who are working from home. In reality, both scams provide links to fake OneDrive or Office365 login screens that capture user credentials.

Action/Guidance

  1. Do not click links and/or attachments about OneDrive or Office365 that do not originate from NDIT
  2. Verify e-mails appearing to come from your employer, K-12 school and/or university before clicking any links and/or opening any attachments
  3. Remember these e-mails will look very convincing and will typically attempt to "scare" you with a deadline or consequences if you don't act now
You're Infected With COVID-19

Threat Statement/Description

Citizens may start receiving phishing e-mails attempting to tell them they have tested positive for COVID-19. The e-mails then asks the victim to provide a credit card number for a prescription. Confirmation on the sources of these e-mails is unavailable at this time, however, phishing e-mails like this may appear to come from health care providers, testing centers and/or the federal/state government.

Action/Guidance

  1. Be suspicious of any e-mail you receive from any organization, state or federal government telling you, you've tested positive for COVID-19
  2. Validate via a phone call with the facility or entity that you received COVID-19 testing that they sent you the e-mail
  3. Do not provide sensitive information (e.g., credit card information, social security information, date of birth, health information) via e-mail to any organization, state and/or federal government entity
  4. Be cautious with opening attachments and/or clicking links contained in an email from any source informing you, you've tested positive for COVID-19
U.S. Department of Health and Human Services and/or Center for Disease Control

Threat Statement/Description

A phishing campaign targeting state and local governments, healthcare, biotechnology, and financial services entities used a COVID-19 lure to trick users into opening zip archive that launches a malicious bot to either deliver malware, ransomware, gain access to sensitive data. Other entities that have been identified as targets, include energy, manufacturing, and real estate.

Action/Guidance

  1. Be suspicious of unsolicited e-mails from federal government agencies, rarely will the CDC or Department of Health and Human Services, or any other government entity send you an unsolicited e-mail with attachments for you to open and review.
  2. Do not click on links or attachments contained in any unsolicited e-mails
You’ve Been Exposed to Coronavirus

Threat Description:

Security Affairs - https://securityaffairs.co/wordpress/100728/cyber-crime/coronavirus-phishing-attack.html?web_view=true has reported a new phishing campaign has been identified and is preying upon the publics fears over contracting the virus.  The “new phishing campaign uses messages that pretend to be from a local hospital informing the victims they have been exposed to the virus and that they need urgently to be tested.”

Action/Guidance:

  1. Be cautious opening attachments and/or clicking links within unsolicited e-mails you receive about COVID-19
  2. Call and verify COVID-19 emails appearing to come from your local hospital or health care provider
New WHO Phishing Threat

Threat Description:

According to researchers - https://searchsecurity.techtarget.com/news/252480848/Coronavirus-phishing-lures-continue-to-dominate-threat-landscape?&web_view=true - A new campaign identified by IBM X-Force researchers, an email claims to be from WHO's Director-General Dr. Tedros Adhanom Ghebreyesus. The emails claim to share an update on the status of outbreak prevention as well as a potential cure, and they install an Agent Tesla malware variant through attached documents. IBM X-Force said it expects the attack to be "highly successful" under current circumstances.

 Action/Guidance:

  1. Exercise caution when opening attachments and/or clicking links in unsolicited e-mails from the World Health Organization (WHO)
  2. As of today there is no officially recognized or known cure for COVID-19 (Coronavirus)
“COVID-19 Payment” Emails Delivery Banking Trojan

Threat Description:

In a recent article https://www.securityweek.com/corporate-workers-warned-covid-19-payment-emails-delivering-banking-trojan?&web_view=true A number of “corporate users” are being targeted with e-mails labeled as “COVID-19 Payment” appearing to come from the federal government.  This attack preys upon users who may be expecting government stimulus checks.

Action/Guidance:

  1. Be cautious clicking links and/or opening attachments in unsolicited e-mails from your state, local and/or federal government
  2. When possible attempt to validate the e-mail via phone call to the government agency that you received the e-mail from
Upgraded Malicious Word and Excel Documents Targeting Work From Home Employees

Threat Description:

As reported by SC Magazine - https://www.scmagazine.com/home/email-security/upgraded-malicious-word-excel-attachments-targeting-wfh-employees/?web_view=true  “Combining LimeRAT with VelvetSweatshop is a particularly unwelcome and powerful technique as it enables the malicious document to appear legitimate to the receiving system by using encryption.  The ransomware being used against healthcare facilities and critical business operations uses a socially engineered phishing attack that presents itself as a COVID-19 situation report. The document, in fact, carries a new variant of SNSLocker and upon being opened immediately begins encrypting files and demanding a .35 bitcoin ransom payment.”

Action/Guidance:

  1. Exercise caution when opening any kind of attachments contained in unsolicited e-mails containing COVID-19 situational updates, reports, notification of diagnosis, cures, etc.
  2. Ensure you Anti-Virus solution is enabled and up to date (be aware anti-virus solutions may not detect and/or prevent all malware and other types of cyber threats)
Medium

COVID-19 Malicious Information Threats

The following COVID-19 malicious information threats have been reported as being active:

Medium
Medium
Social Isolation Increases Risks of Being Scammed

Threat Statement/Description

"Social isolation is a key risk factor for susceptibility to scams, as is financial vulnerability," said Melissa Lanning, executive director of the BBB Institute for Marketplace Trust, BBB's foundation that conducted the research. As bricks-and-mortar businesses close or curtail services and the financial markets experience a high level of volatility, many consumers are left to wonder if they will have a job or an immediate way to provide for their loved ones. As people turn to the internet seeking new or temporary employment, they are also at increased risk of employment scams. Employment scams are deemed the riskiest scams of 2019, making up 9.3 percent of all scams reported and a median dollar loss of $1,500/per incident. Employment scams can take place in job search websites, via e-mail, via text and/or unsolicited phone calls.

Action/Guidance

  1. Users should exercise caution if a firm or persons requires you to pay a fee to be placed into a job
  2. Users should not provide a firm or user your bank account information or credit card information to be placed into a job
  3. Persons and/or firms cannot promise or offer you federal government jobs, all federal jobs and positions are publicly posted on usajobs.gov
  4. Exercise caution when responding to unsolicited e-mails, texts and/or phone calls from persons or job placement firms, do your research on the person, firm and/or job posting
COVID-19 Robo and Telemarketer Calls Targeting Elderly People

Threat Statement/Description

Scammers and fraudsters are calling and texting elderly people in communities across the U.S. The Washington Post reports, robo calls to elderly people who may be diabetic promising, "We can qualify you to get a free diabetic monitor and a complimentary testing kit for Coronavirus." Another set of calls appears to impersonate the company 3M, which makes masks that can help prevent the spread of coronavirus. Other calls prey on Americans at a time when obtaining tests across the country has been difficult and starts our, "Thank you for calling coronavirus hotline," a male speaker then asks, "Will the free at-home test be just for you or for you and your spouse?" Calls such as this are used as a means to defraud senior citizens, could place you in danger.

Actions/Guidance

  1. If you receive an unsolicited call informing your that you've been selected for COVID-19 testing, or are being offered an opportunity to undergo COVID-19 testing, we recommend you validate who the caller is, the agency they're working for and why you were selected for testing
  2. State, or Federal Agencies will NOT randomly call and/or select senior citizens for COVID-19 testing
  3. Do not share via text and/or phone calls any sensitive information
COVID-19 Vaccine Kit

Threat Statement/Description

The Department of Justice cracked down on a site that was offering visitors access to a WHO develop COVID-19 vaccine kit. The site was actually used to upload malware to victims' PC and/or laptop.

Action/Guidance

  1. If you believe you visited the site, you may want to run a scan of your system
  2. If you're running an older version of anti-virus software consider updating and/or upgrading your virus protection
  3. Be cautious with visiting COVID-19/Corona Virus URLs or websites are suspicious and/or malicious and set up to steal information, attempt to defraud you, or upload malware to your PC and/or laptop.
DHS National Lockdown

Threat Statement/Description

Rumors are circulating out there via e-mail, text messages, and social media-"Hearing a lot about texts from 'friends at DHS' or 'friends with connnections at DHS' that say DHS is planning a national lock down. Also circulating is a rumor of the National Guard fanning out to major cities to enforce martial law.

Action/Guidance

  1. Use trusted local and federal government sources
  2. A national lock down is not taking place
  3. The National Guard has not been used to enforce any type of martial law
A Rogue Android App Promises A Safety Mask But Instead Spams All Your Friends

Threat Statement/Description

A New COVID-19 Scam has emerged this time taking advantage of users' and citizens' Android Phones. The attackers send you a text that reads: "Get safety from corona virus by using Face mask, click on this link download the app and order your own face mask-hxxp://coronasafetymask.tk." When you click the link your taken to a web portal where you'll be asked to download the app. Downloading won't just help the malware spread, it'll cost you whatever your mobile phone carrier charges you for a text. The more contacts/friends you have, the higher the potential bill, especially if your friends live abroad.

Action/Guidance

  1. Delete unsolicited texts from organizations and/or phone numbers you don't know
  2. Do not click on links and/or attachments contained in texts
COVID-19 Vaccine

Threat Statement/Description

Criminals are offering home and herbal remedies that prevent or cure COVID-19. These attacks can be used to infect users' computers with malware and/or peddle unproven and potentially harmful substances for people digest

Action/Guidance

  1. Do not respond to COVID-19 vaccines or remedies advertisements received via e-mail, or in the course of browsing the web
  2. Do not click links or open attachments from advertisers offering a remedy or vaccine for COVID-19
North Dakota Withholding Medicines From Tribes

Threat Statement/Description

Various persons are intentionally posting inaccurate and/or inflammatory information about North Dakota's response to the COVID-19 pandemic

Action/Guidance

  1. Verify Sources of Information
  2. Information in regard to how ND is responding to COVID-19 is located at XXXX
  3. Do not click links or open attachments from individuals posting information in social media platforms
Fraudulent Medicines/Products

Threat Statement/Description

The FTC and FDA jointly has identified and issued warning letters to the following companies

  • Vital Silver
  • Quinessence Aromatherapy Ltd.
  • Xephyr, LLC, doing business as N-Ergetics
  • GuruNanda, LLC
  • Vivify Holistic Clinic
  • Herbal Amy LLC
  • The Jim Bakker Show

The products cited include teas, essential oils, tinctures and colloidal silver

Action/Guidance

  1. Do not click on links in e-mails received from any of the above named companies
  2. We recommend you exercise caution when placing orders for COVID-19 vaccines.remedies *To date there has not been an officially recognized vaccine to prevent and/or cure COVID-19*
COVID-19 Penny-Stock Scams/Frauds

Threat Statement/Guidance

The U.S. Securities and Exchange Commission is warning investors about fraudsters touting stocks of companies with products that supposedly can prevent, detect or cure coronavirus. In scams such as this, the con artists have already bought the stocks, which typically sell for a dollar or less. As the hype grows and the stock price increases, the con men dump the stock, saddling other investors with big losses (aka- Pump and Dump).

Action/Guidance

  1. SEC recommends investors conduct detailed research before investing in any stocks and be aware of the risks
  2. SEC also notes it is common for fraudsters to exploit crises like COVID-19 to scam investors
  3. Be suspicious of any unsolicited e-mails and/or online advertisements with links and/or attachments on investing or purchasing stocks that have developed a cure or vaccine to COVID-19 *To date there has not been an officially recognized vaccine to prevent and/or cure COVID-19*
COVID-19 Antivirus

Threat Statement/Description

A group of hackers was found promoting a fake antivirus software to distribute a malware payload which could infect the systems with the BlackNET RAT, while adding it to a bot net

  • Security experts have reported two such sites where this software could be found:antivirus-covid19[.]site and corona-antivirus[.]com.
  • Upon reporting, the first stie was taken down. The other one, however, remained active with altered contents and malicious links being taken off.

A blurb from the site read, "Download our AI Corona AntiVirus for the best possible protection against the Corona COVID-19 Virus. Our scientist from Harvard University have been working on a special AI development to combat the virus using a mobile phone app."

The malware actors also mention an update about adding VR sync capabilities to their fake products. "We analyze the Coronavirus in our laboratory to keep the app always up to date! Soon a corona antivirus VR synchronization will be implemented!"

Action/Guidance

  1. Exercise caution when visiting sites related to the COVID-19 Pandemic new fraudulent sites are being set up everyday to try and trick citizens into downloading malicious software to steal your data and/or steal your money
  2. Criminals are attempting to take advantage of people's fear and the vast amount of misinformation about COVID-19
  3. Be careful with clicking links on websites discussing COVID-19 or purporting to have any kind of cure, special products, or new information
Pirated CoronaVirus Plugins Distribute WordPress Malware

Threat Statement/Description

Criminals behind the WordPress WP-VCD malware have started to distribute modified versions of Coronavirus plugins that inject a backdoor into a web site.

The WP-VCD family of WordPress infections are distributed as nulled, or pirated, WordPress plugins that contain modified code that injects a backdoor into any themes that are installed on the blog as well as various PHP files. Once a WordPress site is comprimised by WP-VCD, the malware will attempt to compromise other sites on the same shared host and will routinely connect back to its command & control server to receive new instructions to execute.

Action/Guidance

  1. Exercise caution when visiting WordPress sites
  2. Exercise caution when clicking on advertisement links in WordPress sites as they may redirect you to malicious sites, or install harmful malware
  3. If you operate a WordPress site be certain your downloading Plugins from a trusted and authorized Plugin site
Criminals Are Using Fake Zoom Accounts to Distribute Malware

Threat Description:

Hacker News reports - https://thehackernews.com/2020/03/zoom-video-coronavirus.html?&web_view=true – “As people increasingly work from home and online communication platforms such as Zoom explode in popularity in the wake of coronavirus outbreak, cybercriminals are taking advantage of the spike in usage by registering new fake "Zoom" domains and malicious "Zoom" executable files in an attempt to trick people into downloading malware on their devices. According to a report published by Check Point and shared with The Hacker News, over 1,700 new "Zoom" domains have been registered since the onset of the pandemic, with 25 percent of the domains registered in the past seven days alone.”

Zoom is not the only platform being targeted, Google Classroom is also noticing an increase in potentially malicious activity.

Zoom, Google Classroom and Microsoft Teams are being increasingly targeted by cyber criminals - https://www.scmagazine.com/home/security-news/news-archive/coronavirus/cybercriminals-targeting-zoom-google-and-teams-domains/?web_view=true

Action/Guidance:

  1. Exercise caution when clicking links and/or attachments attached to unsolicited Zoom or Google Classroom invitations and/or documents
  2. Validate via phone, if possible, if you receive Google Classroom invites and/or documents
  3. Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests. Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
  4. Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
  5. Manage screensharing options. In Zoom, change screensharing to “Host Only.”
  6. Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
  7. Ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
  8. Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
  9. Ensure VTC software is up to date. See Understanding Patches and Software Updates.
Two Zoom Zero-Day Vulnerabilities Uncovered

Threat Description:

ThreatPost reports,  https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/ The web conferencing platform vulnerabilities could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.

 Action/Guidance:

  1. Zero-Day vulnerabilities cannot be fixed until the vendor (in this case Zoom) issues a “fix” (i.e. patch), or communicates steps to help reduce the risk for exploiting the vulnerability
  2. Exercise caution when granting other people access (physical or remote) to your device (PC/Laptop), exploitation of these vulnerabilities requires an attacker to have local presence on your device
  3. Exercise caution when opening attachments or clicking links in unsolicited e-mails
  4. Be careful when exploring the Internet and visiting unknown website
  5. Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
  6. Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
  7. Ensure VTC software is up to date. See Understanding Patches and Software Updates.