Spoofed website patterns help spread COVID-19 scams: report

COVID-19 , Cybercrime , Fraud Management and Cybercrime

Fake websites linked to phishing attacks designed to steal credentials and banking data

Ishita Chigilli Palli (Ishita_CP) •
May 19, 2020

Malicious template designed to look like a World Health Organization website (Source: Proofpoint)

Fraudsters are now using many spoofed website templates with COVID-19 themes in phishing attacks designed to steal login credentials and banking data, security firm says No proof.

See also: Splunk Security Predictions 2021

Proofpoint has discovered several ready-made website templates for sale on darknet forums that spoof legitimate websites of governmental and non-governmental organizations that offer financial assistance or health care updates during the COVID-19[female[feminine pandemic.

These templates, which use realistic graphics, are designed to mimic the World Health Organization, the US Centers for Disease Control and Prevention, the Internal Revenue Service, as well as UK government websites, Canada and France, according to Proofpoint. The patterns allow fraudsters to quickly create malicious domains to lure victims who have received phishing emails, researchers say. Of the more than 300 phishing attacks examined by Proofpoint since January, nearly half were designed to steal login credentials or banking information.


(Source: Proofpoint)

As more governments around the world offer stimulus payments and financial assistance to citizens and businesses, the lures have changed, says Sherrod DeGrippo, senior director of research and threat detection at Proofpoint.

“The move by governments in particular to offer financial support has caught the attention of threat actors who have decided not only to target these funds directly, but to use them as themes for their phishing attacks,” DeGrippo told Information Security Media Group. “We expect these lures to continue to evolve over time to match the latest developments around the virus.”

How Models Work

Spoofed website templates vary in complexity and design. For example, one designed to look like a World Health Organization website disguises a malicious domain that can steal usernames and passwords if entered into a login field, according to the report. .

In another example, a template that mimics the CDC’s official website asks victims to authenticate their identity with their email password in order to “generate a vaccine ID,” according to the report.

A template spoofing the IRS’ multi-page website displays a bogus offer of financial assistance under a COVID-19 relief program, according to Proofpoint. The site prompts victims to click “continue,” which then takes them to a form asking for sensitive personal information, including social security numbers, full names, birth dates, and zip codes.


Fake IRS website template (Source: Proofpoint)

A fake Canadian government website template has subtle differences from the legitimate site, the report notes.

“The malicious template correctly copies the name of the Department of Revenue of Canada in English and French, Canada Revenue Agency and Canada Revenue Agency respectively. However, the layout, colors and image branding of the malicious model do not match those of the legitimate Canadian government website,” Proofpoint researchers note.

Similar patterns have been found spoofing UK government websites.

Fake landing pages attached to pandemic-themed phishing campaigns were massively rolled out in March as countries around the world locked down to stop the spread of the virus, Proofpoint notes. Usage of these landing pages began to decline in April, which may reflect a saturation point with scammers looking for new lures.

Phishing is changing

At the start of the COVID-19 pandemic, phishing campaigns used decoys that appeared to offer information about the virus. These were followed by phishing emails and malicious domains touting information about travel restrictions, potential remedies, and then updates on working from home, DeGrippo says.

“We’ve seen campaigns on the topic of shifting to remote work over the past few weeks,” he adds.

Earlier this month, Microsoft uncovered COVID-19-themed phishing campaigns with a new twist – hackers sending fake messages about business continuity plans and new payment procedures to spread the data thief. LokiBot information (see: New twist for pandemic-related phishing campaigns).

Daniel L. Vasquez