Coronavirus: Cyber criminals target laid-off workers

Malicious Microsoft Excel files masquerading as CV attachments sent under the subject lines “applying for a job” or “regarding job” are luring victims left out-of-work thanks to the Covid-19 coronavirus pandemic into giving up valuable banking credentials, according to new research released today by Check Point.

When opened, the files prompt their target to “enable content”, which when clicked actually downloads the dangerous ZLoader banking malware, which steals passwords and other private information from users, including browsing cookies. Armed with this information, cyber criminals can connect into the victim’s system and make illicit financial transfers from the victim’s legitimate device.

“As unemployment rises, cyber criminals are hard at work. They are using CVs to gain precious information, especially as it relates to money and banking. I strongly urge anyone opening an email with a CV attached to think twice. It very well could be something you regret,” said Check Point manager of data intelligence, Omer Dembinksy.

Check Point said it has observed the number of malicious files masquerading as a CV doubling in the past two months around the world as millions of workers lose their jobs as governments shutter their economies in national lockdowns. The problem is particularly acute in the US, where dysfunctional governance and a lack of social security protections has seen 40 million file for unemployment since March, about a quarter of the working population.

It added that a statistically-notable number of malicious phishing scams were now exploiting various Covid-19 layoffs and renumeration schemes. Check Point’s team also found that 7% of domains registered in May containing the world “employment” are malicious, and another 9% suspicious.

In addition to the threat from ZLoader, Check Point researchers also observed an uptick in activity around the IcedID banking malware family – this strain targets banks, payment card providers, mobile services providers and online retailers, and tricks users into submitting their logon credentials on a fake page, to be sent to the attacker’s server alongside other authorisation details that can be used to compromise user accounts.

The IcedID threat currently seems to be exploiting medical leave forms, said Check Point, using filenames such as “COVID-19 FLMA CENTER.doc” sent via email with the subject line “The following is a new Employee Request Form for leave within the Family and Medical Leave Act (FMLA)”.

The emails originate from a number of different sender domains, such as “medical-center.space” in order to lure targets into opening the malicious attachments.

Users can follow a number of steps in order to minimise their chances of falling victim to this sort of scam. It is important to remember to keep a look out for lookalike domains, watching for spelling errors in the names of official looking websites or emails; to be cautious with any file received via email that is not expected or does not come from a sender known to you; to use authentic, official sources to shop online, and never click on promotional links in emails; to be suspicious of any special offers, particularly coronavirus-related ones; and to follow basic principles around password hygiene and management, and never using duplicate passwords.

However, there were some signs that cyber criminal activity exploiting the pandemic was tailing off a little. In May, Check Point said it had witnessed an average of 158,000 coronavirus-related attacks every week – this was a 7% decrease when compared to April, when the outbreak peaked in many countries.

Last month, it saw 10,704 new coronavirus-related domains registered, 2.5% of them malicious and 16% suspicious.