With governments around the world making billions of dollars available for COVID-19 financial relief, criminals are making every effort to take advantage. That includes building phony official coronavirus relief templates for websites to trick victims into giving up sensitive personal information.
Among the sites discovered by security vendor Proofpoint are the bilingual Government of Canada site pages that attempt to get credentials from victims in either English and French. The news is part of a blog released Friday that also details phishing financial relief pages for the U.S. Internal Revenue Service, the U.K. Revenue and Customs and the official registration site for France.
The goal of the Canadian site is to capture social insurance numbers, which are valuable for creating fake IDs.
“This spoof is noteworthy because while it copies the behaviour of the Canadian government website effectively, it does not match the look and feel of the current Canadian government website,” Proofpoint notes. “The malicious template correctly copies the name of Canada’s revenue ministry in English and French, Canada Revenue Agency and Agence du revenu du Canada respectively. However, the layout, colours, and branding of the malicious template do not match that of the legitimate Canadian government website.”
Fake websites would be created for people doing internet searches for financial relief programs. They would also be the landing pages for links in a mass email and text campaigns previously outlined in our Cyber Security Today podcasts.
Earlier this month the federal government Canadian Centre for Cyber Security said it had taken down over 1,500 COVID-19-themed fraudulent sites or email addresses aimed at Canadians. These included sites spoofing the Public Health Agency of Canada, Canada Revenue Agency, and Canada Border Services Agency.
Proofpoint says it’s found more than 300 different COVID-19 campaigns since January across nearly every industry it tracks. The creators include well-known, established threat actor groups and unknown individuals.
Creation of Covid-19 phishing landing pages increased sharply in early March, peaking around the beginning of April and then sharply dropping off, says the blog. That plunge probably is caused by a combination of saturation for COVID-19 payment theme phishing templates and a move towards other COVID-19 themes as many one-time payments were disbursed, Proofpoint believes.
“It’s clear threat actors follow trends closely,” the blog adds. “We’ve seen throughout the COVID-19 situation how threat actors have followed the news and adapted their themes to match the unfolding public narrative. The movement by governments in particular to offer financial support has caught the attention of threat actors who have moved not only to target those funds directly but to use them as themes for their malware and credential phishing attacks.”