Hackers Aim To Capitalize On Post-Covid Return To Office With Phishing Scheme

Phishing campaigns nearly always spike with any major event, and the post-covid return to office is proving to be no different. As if anticipating the shift back to the office, threat actors have been preparing sophisticated spear-phishing ploys to gain access to credentials illegitimately. This latest scam includes firing targets with emails purportedly from their CIOs welcoming workers back into offices. The phishing email supposedly outlines the company’s post-pandemic cubicle protocols.

“The body of the email appears to have been sent from a source within the company, giving the company’s logo in the header, as well as being signed spoofing the CIO,” Cofense outlined in a report.

The fake newsletter explains return-to-work procedures are forcing employees to take new precautions relative to the pandemic, according to the researchers.

The spoofed CIO email prompts victims to link to a fake Microsoft SharePoint page with two company-branded documents, both outlining new business operations. Eventually, the scam will lead the victim to handing over their credentials.

COVID-19 has been a treasure-trove for hackers in every stage of the pandemic. Spear-phishing vaccine-related attacks shot up 26% between October and January, just as the news of the vaccine came and the rollout began globally. Healthcare organisations, crushed under the weight of the pandemic, were targeted night and day by various forms of Malware. Last year alone, 10% of all organisations hit by ransomware were hospitals or medical organisations.

“COVID-19 has given us a window into how hackers can exploit human vulnerabilities during a crisis, with healthcare and pandemic-related attacks prevalent in 2020,” Sivan Tehila with Perimeter 81 wrote recently in a report for Threatpost.

CIO Spear-Phishing Attack Methodology

This attack campaign has been analysed by cybersecurity researchers at CoDefense.

The body of the email appears to have been sent from a source within the company, giving the company’s logo in the header, as well as being signed spoofing the CIO. By pretending to be an executive, the threat actor has sent a false newsletter explaining the new precautions and changes to business operations the company is taking relative to the pandemic.

It is likely in these times that many companies are making changes to their operations and providing their employees guidelines. However, in this case, the threat actor is trying to capitalize on sometimes confusing change to steal credentials and personal information.

If an employee were to interact with the email, they would be redirected to what appears to be a Microsoft SharePoint page with two documents. These documents appear to be legitimate, outlining changes to business operations referenced in the original email. Instead of simply redirecting to a login page, this additional step adds more depth to the attack and gives the impression that they are actual documents from within the company. When interacting with these documents, it becomes apparent that they are not authentic and instead are phishing mechanisms to garner account credentials.

Clicking on either of the documents produces a login panel that prompts the recipient to provide login credentials to access the files. This is uncommon among most Microsoft phishing pages where the tactic of spoofing the Microsoft login screen opens an authenticator panel. By giving the files the appearance of being real and not redirecting to another login page, the user may be more likely to supply their credentials in order to view the updates.

Another technique that the threat actor uses that we have seen in other campaigns is the use of fake validated credentials. For this example, the first few times login information is entered into the panel, the result will be the error message, “Your account or password is incorrect.”

After entering login information a few times, the employee will be redirected to an actual Microsoft page. This gives the appearance that the login information was correct, and the employee now has access to the OneDrive documents. In reality, the threat actor now has full access to the account owner’s information. Thus, the phishing attack has been successful.


Protection Against Phishing

Often in hacker circles some claim to have a sense of ‘honor amongst thieves’, but the COVID-19 Pandemic and the associated hacking campaigns that went on during it are a sure sign that these individuals do not have a clear sense of right and wrong. As the world gradually readjusts to the ‘normal’ we once knew, hackers are certain to use every tool at their disposal to steal information from whomever they target. Phishing attacks like these will continue to be widespread.

It is important that business owners use the rights tools to protect them against cyberthreats. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *