Watch out for COVID-19 phishing and malware

Cybercriminals are capitalising on Coronavirus (COVID-19) to send fake email and SMS phishing attacks that could infect computers or lead to the theft of logins and personal information.
Clive Reeves · 17 March 2020 · 3 minute read

An SMS-based phishing attack sent to Australians this week with the sender of “GOV” claimed the receiver had a “new message regarding the COVID-19 safetyline symptoms”. The subsequent message advised the location of local testing facilities.

People who followed the included link were directed to a website that would encourage Android device users to install an application. Anyone who visited the site from a non-Android phone such as an iPhone were directed to a benign government website instead.

The Australian Cyber Security Centre has recently warned the SMS and subsequent Android application could be used to steal banking credentials.

“The link in these text messages is not legitimate, and if clicked on, may install malicious software on your device, designed to steal your banking details,” it said.

The steps to install the Android application required people to check a box to install apps from unknown sources in their device’s settings. They could not be infected by merely visiting the site.

It is unclear if the malware was caught by Android’s much-improved in-built security defences which are present on new devices, or those running supported versions of the mobile operating system.

Telstra has blocked the offending domain, protecting customers across mobile and broadband services from accessing the site. Google has also blocked the domain under its Google Safe Browsing Initiative.

However, the rapid nature of cybercrime means new copycat domains that potentially contain the same content are likely to surface.

We should all be vigilant and not respond to unexpected messages over any communications platform, especially those which request links be clicked on or attachments be opened.

Yet more phishing attacks are targeting COVID-19 remote workers around corporate Australia.

These phishing attacks – and dozens of others that promise information on COVID-19 –entice users to open malicious attachments (some containing dangerous malware) and follow links designed to steal logins.

The emails are part of a surge of COVID-19 themed phishing campaigns detected since January which include malicious messages purportedly sent on behalf of the Australian Medical Association (AMA) and global bodies including the World Health Organisation (WHO).

Cyber security vendor ProofPoint says criminals have written phishing emails that claim to be from organisations’ human resource departments and executives. The fake messages encourage victims to open and sign attached malicious documents.

We advise anyone who is working from home to avoid opening unexpected email document attachments and to report suspected phishing emails in-line with their companies’ cyber security policy or delete it.

Meanwhile, Check Point, a cyber security vendor, said 4,000 COVID-19 domains have been registered between January and 3 March of which it suspects 3%, or 120 domains, are suspicious.

“Coronavirus-related domains are 50% more likely to be malicious than other domains registered at the same period, and also higher than recent seasonal themes such as Valentine’s Day,” Check Point researchers said.

One of the first COVID-19 phishing emails sent in January targeted victims in Japan and contained purported advice about the virus outbreak.

At least one of the phishing documents claiming to contain COVID-19 advice unleashed the Trickbot malware when opened.

Trickbot is one of the worst cyber security threats facing organisations today. The malware can download additional malicious payloads including the Ryuk ransomware which has the capacity to down global businesses. It can also deploy capabilities that allow it to spread across networks and to new computers through hijacked user email accounts.

Other COVID-19 phishing emails have dropped the NanoCore remote access trojan which grants hackers control of infected systems.

Many more contain links that load malicious login pages that mimic the appearance of tech brands like Adobe and Microsoft Office 365.

We encourage everyone to be on alert for any unexpected emails that request users login to pages or download attachments. Looking for typos and poor grammar is a common but ultimately effective indicator of phishing.

Get all-in-one cyber security for your devices with Telstra Device Security.


By Clive Reeves

Deputy Chief Information Security Officer

Clive is the Deputy Chief Information Security Officer and has over 20 years’ experience in cyber security risk management, engineering and operations. Clive leads critical customer-facing security capabilities including the Telstra Security Operation Centres and the Defence Engagement Security Team. Clive was previously the CISO for Telstra’s Defence Engagement Team and also managed a secure ops and incident response centre. Prior to joining Telstra, Clive worked for the Australian Government and served in the Royal Australian Air Force (RAAF). Clive is an engineering graduate of RMIT and holds an MBA in Technology Management.

Related articles