Security Researchers Find Fraudsters Using Trump’s Health as a Lure
Within a few days of President Donald Trump testing positive for a COVID-19 virus infection, fraudsters began deploying phishing emails using the president’s health as a lure, according to the security firms Proofpoint and KnowBe4.
Employees at several hundred organizations in the U.S. and Canada have already been targeted by phishing campaigns in what that researchers say is an excellent example of how quickly fraudsters can pivot to use a current news event to their advantage.
Eric Howes, principle lab researcher with KnowBe4, tells Information Security Media Group, that fraudsters have little trouble switching topics for their phishing campaigns.
“The day after we spotted that email campaign based on Trump’s diagnosis, customers reported a very similar campaign from the same bad actors that were strictly COVID-themed. Moreover, it’s quite common for malicious groups to run multiple campaigns or email types simultaneously,” Howes says.
After Trump tested positive for COVID-19, cybersecurity researchers had warned that fraudsters and cybercriminals would likely quickly take advantage of the situation (see: Does Trump’s COVID-19 Test Result Portend Cyber Chaos?).
The phishing campaign uncovered by Proofpoint was designed to spread malware. But KnowBe4 notes that its researchers were unable to determine exactly what the fraudsters hoped to accomplish in the phishing campaign that it discovered.
Proofpoint found that fraudsters attempted to use phishing to compromise devices with malware that acts as a backdoor to initiate other types of attacks, according to the report.
“This campaign attempted to spread unknown malware via BazaLoader, a first stage downloader initially observed earlier this year,” Sherrod DeGrippo, senior director of threat research at Proofpoint, tells ISMG. “Proofpoint researchers have previously observed BazaLoader being distributed in high-volume email campaigns by a threat actor that is primarily known to distribute TrickBot.”
Recent material pertaining to the president’s illness
Newest information about the president’s condition
Newest info pertaining to President’s illness pic.twitter.com/v4tcCLU8qg
— Threat Insight (@threatinsight) October 7, 2020
BazaLoader is a backdoor that enables an attacker to maintain persistence and execute additional malware modules, according to security researchers.
Proofpoint notes that the social engineering techniques used in the ongoing campaign it discovered target organizations in the U.S. and Canada. The emails contain links to landing pages hosted on Google Docs.
“The pages contain links to download an Excel sheet, which contains macros that, if enabled, will download BazaLoader,” Proofpoint reports.
Other Malicious Messages
The phishing messages discovered by KnowBe4 do not link to a site that serves up malicious content. This is likely due to an error by the fraudsters, according to the security firm.
“The email offers potential [targets] an embedded link pointing to a file on Google Docs and suggests that unwitting clickers will be provided a password-protected file of some sort,” according to KnowBe4. “The file on Google Docs, however, merely provides a redirect to yet another file hosted on download2112.com, a domain created the very day we spotted this phishing campaign (10/6/2020).”
The second file redirects to a Russian bitcoin site, but the KnowBe4 researchers are uncertain whether this was the intended destination.
“Perhaps there was a password-protected file at some point that was subsequently taken down,” the KnowBe4 report states.
The phishing emails were sent from a compromised email account and used subject lines designed to pique interest in an update on President Trump, according to the report.
Some of the subject line themes used in the phishing emails included:
- The things you don’t know related to Trump’s current health state;
- Most recent details pertaining to Trump’s illness;
- Something you don’t know regarding Trump’s present-day health condition.