How a Covid-19 Phishing Scam Spoofed the World Health Organization

Covid-19 created a vast array of opportunities for phishing scammers. An uncertain world and population hungry for information meant people were ripe for the taking.  

Covid-19 created the single most significant upheaval most people could remember. As the pandemic swept across the world, people, governments, and businesses struggled to react. In the space of a few days, companies had to switch to remote work, and society more or less shut down. People were confined to their homes, frightened to go out, and desperate for any information they could get. 

As is so often the case, an environment of fear and uncertainty played right into the hands of fraudsters and other criminals. Cybercrime flourished, and one of the most popular modes of attack was the phishing email. These use social engineering strategies to fool people into handing over their sensitive information. With the pandemic, these became more frequent and more convincing than ever. 

What is social engineering?

Stealing property can be tricky. You’ve got to break into a place, lift the goods and make your escape. It would be so much easier if you could just persuade people to hand everything over for you. 

That’s the concept behind social engineering — to use various manipulative means to persuade people into taking the action you want. With cybercrime this might include: 

Baiting: Arousing the user’s interest with a false promise.

Scareware: Frightening a user into thinking they have a problem that has to be resolved.

Pretexting: Obtaining the information you want through a number of well-crafted lines.

Phishing: Emails that appear to be from a reputable source, which make you trust them.

Spear phishing: A more targeted form of phishing where scammers target specific organizations or even people. 

According to Verizon’s cybercrime report, social engineering accounted for 25% of cyber-attacks in 2019.1 However, 2020 and the pandemic was about to give the criminals an entirely new opportunity.

Throughout the first half of 2020, impersonation scams in which cyber criminals pretended to be from a certain organization doubled.2 One of the most common targets of impersonation was the World Health Organization (WHO). The pandemic had barely started when people started receiving texts, emails and WhatsApp messages purporting to be from the WHO or another health service, carrying important information about the pandemic. 

Some were relatively easy to spot such as this email from ‘the information unit’ warning you that someone in your organization has been infected with Covid-19.

Whether it’s the bad spelling or the lack of branding, this is a relatively easy email to spot. 

However, cybercriminals have become much more sophisticated over the years and other, more convincing, phone calls and emails started to appear claiming to come from the WHO. 

One was spotted by the security company Abnormal Security, which identified emails claiming to be sent from support@who.international. It displays the familiar logo of the WHO and says that the ‘World Health Organization has sent you a message’. 

The link was hidden behind the text making it difficult to see the real uniform resource locator (URL). It took the target through to a site made to look like the WHO homepage, with a pop up saying you need to sign in with your email and password. Those who provided this were then asked to supply their phone number before being redirected to the legitimate WHO homepage. 

This is a highly effective scam as it capitalizes on people’s fear and anxiety at a time of global emergency. It harnesses the trust associated with the World Health Organization and redirects visitors back to the real website leaving victims unaware that their details had been stolen. 

Another scam offers targets the chance to download what it described as a ‘corona-virus’ ebook. 

Once again, the bad spelling should be enough to deter people, but the branding is much more effective and draws on the instinctive trust and security people feel with an organization such as the WHO.

This is coupled with the natural fear associated with the early stages of the pandemic. As the world began locking down, people were eager for any information they could get their hands on. The idea that the WHO might decide to send free ebooks to people in order to raise awareness about the pandemic would not have appeared particularly unlikely.

As Malwarebytes reported at the time, these emails came with an attachment entitled ‘My Healthebook-zip’. Once downloaded it would download active malware onto their computer, called GuLoader. This was the payload for an information stealing Trojan called Formbook that swiped information from the computer and sent it back to the cybercriminals.

The fall out

It is difficult to be entirely certain how many people were fooled by such scams or how much was stolen. Thieves often used the data to sell on the dark web or to directly strike at people financially. Victims would often come out of the scam unaware that they had been targeted at all and, as such, were less likely to take prompt remedial action.

However, data from Javelin Strategy and Research showed that Americans lost $56bn to identify fraud in 2020. Victims lost on average $1,000.

The response 

The WHO responded by launching public information campaigns alerting people to the existence of the frauds. They reassured people that they would: 

Never ask for your username or password to access safety information.

Never email attachments you didn’t ask for.

Never charge money to apply for a job, register for a conference, or reserve a hotel.

Never conduct lotteries or offer prizes, grants, or certificates through the email. 

They also displayed examples of scams which had been reported to them and provided advice about how to reduce the risk of falling victim to such forms of fraud. These include asking people to check the email address, check links before clicking, not to feel rushed and to be careful of their information.

They also included a button asking people to report scams if and when they see them. 

Lessons learned

However, the WHO was more or less restricted to raising warnings and reiterating its practices for users. The sheer volume of Covid-19 scams meant it was impossible to keep track of every attack being used and to inform all users.

The unique nature of the pandemic lent these scams an added layer of threat. When people feel vulnerable they are more likely to fall for scams which appear to offer answers to their problems. 

In general, many of the scams were of poor quality and should have been easily avoided. However, others were highly sophisticated and did a good job of not only convincing their targets that they were genuine, but in covering their tracks in the aftermath. Many people were left oblivious to the existence of a crime in the first place. This ignorance adds to the difficulty in fighting the crime and mitigating its impacts. 

The fake Covid-19 scams highlight the growing threat of social engineering. Most scams rely on manipulating their targets into taking a desired course of action, be that handing over their personal information or downloading files which can then have a malicious influence on the computer.

They show that cybercriminals have become much more sophisticated at emulating the branding and writing style of WHO communications. They have become agile enough to capitalize on world events to make their attacks seem even more convincing. 

Psychologically, they focus on human emotions such as fear, stress, and uncertainty to create feelings of urgency to bypass the usual sense checks people might run before clicking on a link. 

At the same time, though, these attacks also demonstrate the weaknesses of this strategy. Consumers have become much more sophisticated and aware of the threat from phishing and unknown calls. People are much less likely to click on links from unsolicited emails and even less likely to hand over their personal information. 

Hackers have to become much more convincing and target many more people in order to make significant progress.

Those who are careful and understand what to look for will have everything they need to protect themselves against the scam artists.

Protect your business by: 

Checking the email address of the sender: Scammers can often make it seem as if it comes from a legitimate email, but if you double check the address you can see it is not coming from a legitimate sender.

Checking the URLs: Emails will try to camouflage their fake URLs by covering it with text. Hover above a link to display the true address. A fake one will be easy to spot.

Never download files: Any email which asks you to download a file should be treated with extreme caution.

Upgrading your antivirus protection: Make sure you have the strongest possible encryption on your devices and that it has been updated with the latest patches. This will make it much more likely to flag and filter out the suspicious email into your scams folder.

Beware of entering information: Few legitimate organizations will contact you asking for login details. If they do, contact them directly to enter your details. That way you know you are speaking directly to a reliable entity.

Checking with the organization that sent the email: The WHO issued alerts on its website and launched a large-scale public information campaign to warn people of this scam. If you receive an email or text you are not sure about, check their site to see if they are warning of any scams. 

Covid-19 social engineering scams are an incredibly toxic form of fraud. Aside from the possible financial damage suffered by the target, the scams undermine the reputation of groups such as the WHO and lessens trust in institutions. 

In a situation such as Covid-19, the impact can be devastating. Effectively combating the disease requires people to trust authorities and the information being given. Cybercriminals have played on that desire to trust. By doing so, they risk driving up infection rates and, ultimately, cost lives.

Sources:

1. Social Engineering attacks: Social engineering cyberattacks and how they’re impacting businesses | Security Info Watch
2. Impersonation scams double: Impersonation scams almost double in first half of 2020 as criminals exploit Covid-19 to target victims | UK Finance

‍