A new phishing scam is playing on the public’s fears of the COVID-19 outbreak, according to the world’s largest security-awareness training and simulated phishing platform.
Security awareness firm KnowBe4 said Monday that it had discovered a new type of phishing scam that told victims they had come into contact with a friend, colleague or family member who had been infected with the coronavirus. The email instructs its victims to download an attachment and then go to the hospital.
“This particular social engineering scheme appears to come from a legitimate hospital, which is why it’s so alarming and could trick even a cautious end user,” KnowBe4 said.
The email instructs the victim to fill out an Excel form. The form is actually a macro-laden Office document that downloads a malicious program. The downloader is currently detected by only a handful of anti-virus applications, KnowBe4 said. The malware has “a number of advanced functions that allow it to evade detection by security applications, worm its way deep into an infested system, and serve as a platform for a variety of criminal activities,” the security firm said.
“This is a new type of malware that we’re seeing, as it was reported for the first time just a few days ago,” said Eric Howes, principal lab researcher at KnowBe4. “For the bad guys, this is a target-rich environment that prays on end users’ fears and heightened emotions during this pandemic. Employees need to be extra-cautious when it comes to any emails related to COVID-19, and they need to be trained and educated to expect them, accurately identify them and handle them safely.”