Skip to content
Join our Newsletter

Beware of cybercriminals manipulating COVID-19 panic

Russian data thieves posed as Public Health Agency of Canada in email attack

Canada’s cyber security centre is warning people to be wary of COVID-19-related emails that could be used to gain access to personal or financial data.

Cybercrminals are using COVID-19 panic as a cover for the greatest number of themed cyber-attacks that cybersecurity company Proofpoint has ever seen.

In one case, cybercrime group TA564 has posed as the Public Health Agency of Canada via an email attack ,preying on people’s care for their children.

That email references Dr. Eileen de Villa. She is a medical health officer, so the claim seems legitimate. However, de Villa is with the City of Toronto, not the federal agency.

“We anticipate attackers will continue to leverage COVID-19 as it develops further worldwide and will also likely pursue potential targets who are now being asked to work from home,” a warning from Proofpoint senior director of threat research and detection Sherrod Degrippo said.

She said at a time of emotional stress, data thieves are banking on people opening email links they might not ordinarily click.

“If people are going to panic and buy all the toilet paper, it’s not a stretch that people would click on something,” she said. “They’re attacking people and they’re using their emotional vulnerability to do it.”

The number of emails in attacks could number as high as hundreds of thousands, she said.

“Stay vigilant for malicious emails regarding remote access and fake corporate websites, all aimed at ensnaring teleworkers,” she said. “When working remotely, be sure to use a secure Wi-Fi connection, protect your VPN log-in, use strong passwords, think twice about clicking on links and confirm all transactions are authentic.”

Moreover, she cautioned, with more people working from home, they do not have the security of a corporate firewall to protect from cyber intrusions.

Spokesman Evan Koronewski said Canada’s Communications Security Establishment is coordinating with partners to ensure COVID-19-related phishing sites mimicking federal government operations are removed.

“Cyber actors use social engineering and topical subjects, including COVID-19, to maximize their efforts and lure targets to click on a malicious link,” Koronewsk said.

“CSE protects Canadians and computer networks and information of greatest importance to Canada from a variety of malicious cyber activity and responds to the government’s national security requirements.”

A B.C. government release of Proofpoint data said attackers have also targeted in Air Canada, the Bank of Montreal, Canada Post, Coast Capital Savings, Interac and the Royal Bank of Canada in the past.

TA564 has been operating in Canada since last March, the release said.

Spokeswoman Tammy Jarbeau said the health agency had nothing to add to CSE’s comments.

Koronewsk suggested people read CSE guidances at on how they can protect themselves these types of attempts and to get security tips.

Health agency attacks in the U.S. have originated with a cybercrime group tagged TA505, also called SectorJ04 or Evil Corp.

The attacks are part of the greatest collection of any Proofpoint has seen using one theme – COVID-19.

“We’ve observed credential phishing, malicious attachments, malicious links, business email compromise (BEC), fake landing pages, downloaders, spam and malware, among others, all leveraging coronavirus lures,” Degrippo said.

TA505 has been behind other ransomware and Trojan attacks. In the past week, Degrippo said, TA505 has used a coronavirus lure as part of a downloader campaign targeting the U.S. healthcare, manufacturing and pharmaceuticals industries.

The team also found a separate coronavirus-themed campaign that uses a downloader, targets the healthcare industry and demands Bitcoin payment. Indicating a potential future shift in the attack landscape, the downloaders used in the above two campaigns are sometimes seen as a first stage payload before ransomware is later downloaded and installed on a victim’s machine. Ransomware is typically delivered as either second- or later-stage payload.

What Proofpoint researchers have specifically seen is they have observed TA505 using a coronavirus lure in an attempt to deliver a downloader to a victim’s computer.

With that downloader in place, attackers can download malware including banking Trojans and ransomware.

TA505 is known as one of the most significant financially motivated threat actors due to the extraordinary volumes of messages they send,” Degrippo said.

B.C.’s Better Business Bureau has already issued a list of scams targeting the public.

“Look out for fake cures, phony prevention measures, and other coronavirus cons,” said a news release. 

Evil Corp

Last December, the U.S. Department of the Treasury said it had taken action against Evil Corp and its use of malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in more than 40 countries, causing more than US$100 million in theft.

This malicious software has caused millions of dollars of damage to U.S. and international financial institutions and their customers, the department said in a news release. “The Department of Justice charged two of Evil Corp’s members with criminal violations, and the Department of State announced a reward for information up to [US]$5 million leading to the capture or conviction of Evil Corp’s leader.”

Evil Corp may sound like something like something out of an Austin Powers spy spoof film with its Dr. Evil character or the 1960s TV Get Smart with its KAOS criminal group, but Degrippo said people need to look past the name and take threats seriously.

[email protected]