Two New COVID-19 Related Phishing Scams

March 31, 2020

Lookout, a California-based provider of mobile phishing solutions, has found two new COVID-19 phishing scams.

On Twitter, Lookout's Phishing AI detailed its findings of live phishing sites targeting the website of the French General Directorate of Public Finance, the branch of the French government responsible for handing out support to micro-businesses and independent workers in the COVID-19 crisis. The site asks potential victims to enter their address, name and credit card information.

Domains hosted on the same infrastructure fitting the same pattern include:

imptgouv[.]com
gouvimpt[.]com
confirme-fr-enligne[.]com

The resolving IP address (62.4.13[.]122) also hosts a number of other French language phishing URLs for Paypal, says Lookout. After analyzing the aspect ratio, they appear specific to mobile devices:

verifauthenacesscloud[.]com
verifmyaccpp[.]com
busnow[.]net

Another live phishing site using COVID-19 lure, which has been live since January 2020, is masquerading as a new “beta” service by the UK HMRC:

hmrc-govupdate-covid-19[.]com
covid-19-gov[.]claims

The credit card number validation is "spot on," but the language change to Welsh doesn’t work, notes Lookout.

Lookout also noted a pattern between the two phishing scams: both were live and also hosted on the same mobile PayPal phishing infrastructure(47.90.28[.]145). As seen before, this IP also hosts sites relating to the French General Directorate of Public Finance. Lookout concludes that it is perhaps the same actor or same phishing kit set.

More recently, active sites contain the keyword “covid-19” in their domain name. Alex Gladd, Principal Product Manager at Lookout, says that each of these phishing attacks is meant to take advantage of the current situation regarding the COVID-19 pandemic. Gladd says, "They're replicating government websites related to providing citizens with financial relief in response to the pandemic. These sites make it appear as though victims will be receiving some amount of relief money, then ask victims to provide their personal and financial information, like a credit card number or PayPal credentials, in order to receive it. In reality, the sites are simply stealing the victim's data. Data like this often gets sold on the dark web and later used to make fraudulent purchases."

"During times like these, it's more important than ever for people to be hyper-vigilant about links they receive via email, messaging, and social media," Gladd notes. "Whenever it's something claiming to be related to government, financial, or personal information, it's always best to ignore the link in the email, message, or post and go directly to the institution or company's website yourself by typing its known URL into the browser."

Gladd adds, "this guidance is particularly important for people using mobile devices, where small form factors can make it especially difficult to notice suspicious links."

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

Two New COVID-19 Related Phishing Scams

Related Articles

Related Products

Related Events

Report Abusive Comment