Nation-state actors may be running phishing scams that exploit the coronavirus

13 Mar 2020

Image: © bloomicon/

Cybersecurity researchers are detecting a surge in phishing scams attempting to exploit people’s fears about the coronavirus outbreak.

Some of the countries most affected by the coronavirus are seeing a surge in the number of coronavirus-related phishing scams. Cybersecurity firm Recorded Future has published a report documenting a number of ways scammers are using the pandemic as a way of making money.

Starting on 12 January, there was a surge in domains being registered related to the coronavirus, followed by another spike exactly a month later. This appeared to align with the largest single-day jump in confirmed Covid-19 cases globally at the time. Recorded Future’s researchers said that it indicates cybercriminals and bad actors may have realised the potential for using the outbreak as a vehicle for cybercrime.

Future Human

One of the report’s key findings was that not only is Covid-19 being used as phishing lures for malware such as Trickbot, Lokibot, and Agent Tesla, but there were at least three cases possibly linked to nation-state actors, according to Recorded Future.

Among them was a ‘mustang panda’ campaign that has alleged ties to a Chinese government-linked group. The lure used in this campaign was a file pretending to be from Vietnamese prime minister Nguyen Xuan Phuc discussing Covid-19. Once opened, a malicious code could take over a user’s system.

Additionally, while the coronavirus issue is global, countries such as the US, Italy, Ukraine and Iran have been the focus of related phishing attempts. These attacks have increased significantly in the two months leading up until 11 March.

How to spot a scam

In most cases, Recorded Future said, cybercriminals are using trusted organisations for their scam emails, such as pretending to be from the World Health Organisation and US Centres for Disease Control and Prevention.

Last month, researchers at Proofpoint detected a surge in scams pretending to come from legitimate sources such as the World Health Organisation, as well as those using conspiracy theories about the spread of the virus.

However, other countries that have seen a surge in confirmed cases are being targeted with more nation-specific phishing attempts. For example, in late January, researchers at IBM X-Force observed cybercriminals using coronavirus as a phishing lure to spread the malware called Emotet specifically in Japan.

While pretending to contain documents with health information updates, it actually contained a malicious VBA macro that installs a PowerShell script, which then downloads the Emotet trojan.

Offering potential warning signs for anyone who may come across these attempts, Recorded Future said: “The malicious emails often use language creating a sense of urgency (though often with bad grammar or spelling), or attachments or links that are said to contain additional information rather than being informational themselves.

“Users should avoid opening attachments, but it is advisable to treat all emails regarding the Covid-19 outbreak with caution.”

Colm Gorey was a senior journalist with Silicon Republic