Canadian health researchers and firms targeted with COVID-19 phishing

COVID-19 phishing scams have been reportedly going out to consumers, trying to get them to buy face masks, protective gear, phony medical cures as well as give up bank or government login credentials to get government-backed coronavirus financial aid.

But governments and health-related institutions also have to be on the lookout for scams, Palo Alto Networks warned today.

In a blog published this morning researchers said they discovered two COVID-19 themed campaigns:

  • One was an email with a ransomware sting aimed at an unnamed Canadian government health organization and a university here conducting COVID-19 research
  • The other was an email with an information stealer sent to a United States defence research entity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical manufacturer, and medical organizations/medical research facilities located in Japan and Canada.
This ransomware notice would appear if a victim clicked on an attachment

Governments and health care institutions “need to be extra suspicious” right now of COVID-19-related scams, said Jen Miller-Osborn, deputy director at Palo Alto Networks’ Unit 42 threat intelligence unit.

“It’s particularly egregious,” she said, to try and take advantage of people during a health crisis, adding that’s a typical strategy for criminals during a newsworthy event. “They’re exploiting all this fear. We’re definitely seeing an uptick in malicious activity.”

Criminals are using COVID to get victims to click on a link. Miller-Osborn said technically these are the same attack strategies as before the pandemic;  just the subject line and wording of the email messages have changed.

On March 20th the federal government’s Canadian Centre for Cyber Security warned that threat actors may try to steal intellectual property from medical researchers or extract money from ransomware.

The ransomware attack detected by Palo Alto Networks came from a spoofed World Health Organization email address (noreply@who[.]int) “to add that air of legitimacy,” she said.

Although aimed at particular organizations, a clear sign the email is to be leery of is highlighted by a generic “Dear Sir” type of greeting.

The infected attachment has the file name 20200323-sitrep-63-covid-19.doc. If clicked on a page opens up with a scrambled text, a second indicator that it’s malicious. Of course, by this time it’s too late to stop the ransomware — which researchers identified as variants of open source code called EDA2 or Hidden Tear — from executing. A victim might, however, have time to notify infosec pros to check the spread to other machines.

The fact that the document is scrambled text suggests the creators don’t care about being sophisticated, or, as Miller-Osborn said, “these actors aren’t particularly skilled or technical.”

The second campaign is aimed at getting victims into downloading what has been called the Agent Tesla information-stealing malware, which has been around since 2014, to lead to further attacks.

A typical email has the subject line “COVID-19 Supplier Notice” and is from a spoofed legitimate company email. It is addressed to “Dear Valued Supplier, and in at least one case is from a senior buyer of a firm in Oman. The message simply says “Please find the attached second notification.” That’s a trick that will hopefully fool an employee worried that they missed the first notification.

The attached file is named COVID-19 Supplier

Because this campaign uses compromised domains of real companies — firms selling electric skateboards and garment textiles — for sending mail and communicating with command and control servers, it’s a reminder to IT pros that using two-factor authentication and watching web site code will help limit the chances their infrastructure will be used to help attackers.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now