Proofpoint warns of vaccine as lure for cyber-attacks

The cybersecurity company has detected fraudulent messages misusing the name and logo of the World Health Organisation (WHO) as the main lure
A hooded hacker holds a laptop computer

REUTERS/KACPER PEMPEL  -   A hooded hacker holds a laptop computer

Throughout the pandemic, Proofpoint's research team has observed cyber-attacks adapting as new developments in the health crisis unfolded: first with bait about the existence of the virus, and later in relation to the shortage of medical resources, among other issues. With the coronavirus vaccine currently in the news, Proofpoint has detected an increase in threats on all sides of the issue, whether it be the approval of the vaccine by governments in different countries, its distribution and administration to patient groups.

The cybersecurity and compliance company shows recent examples of such attacks it has detected aimed at spreading malware, phishing or executive impersonation (BEC). They show how attackers abuse recognised entities or trusted senders in order to be more successful. Hence, it is important for organisations to implement a people and technology-based strategy, as recommended by Proofpoint, to help prevent, detect and respond to potential attacks, with an emphasis on training employees in security best practices to form a strong last line of defence.

Phishing to steal Office 365 credentials

In this early January campaign targeting companies in the United States and Canada, cybercriminals took advantage of the recent approval of the COVID-19 vaccines by both governments, as well as the rush to receive the first doses.

The messages urged potential victims to click on a malicious link through which they would supposedly confirm their email address or register on a page to receive their corresponding vaccines. However, the ultimate goal was to get hold of their Office 365 login credentials (both the user's email and password).

BEC attacks on mergers 

The cybercriminals also found it useful to exploit the idea that "every crisis is also an opportunity". From 1 to 15 December 2020, Proofpoint detected a BEC (corporate email compromise) attack campaign in which attackers impersonated executives to gain support for a fake merger or confidential acquisition of a company abroad. An operation that, according to the fraudulent emails, would be driven by the global economic recovery that would bring with it the arrival of the long-awaited vaccines.

Abuse of the WHO logo and name to distribute AgentTesla malware

Through email subjects referring to newly approved vaccines against COVID-19, Proofpoint detected fraudulent messages misusing the name and logo of the World Health Organisation (WHO) as the main lure. The email also contained a malicious attachment that, once executed by the user, propagated the AgentTesla keylogger. Proofpoint has been tracking the activity of these attackers since at least 2019. This latest campaign began on 12 January, targeting numerous business sectors in the United States.

DHL spoofing emails

In the United States, Germany and Austria, a phishing campaign took place on 14 January with emails purporting to be from the logistics company DHL reporting the arrival of a package containing vaccines. The recipient of the supposed shipment had to click on a link to reconfirm their address, thus leaving their credentials in the hands of the cybercriminals.