Fake Websites Used in COVID-19 Themed Phishing Attacks, Impersonating Brands Like Pfizer and BioNTech

By

Category: Unit 42

Tags: , , , , , ,

Conceptual image representing COVID-19 themed phishing attacks

This post is also available in: 日本語 (Japanese)

Executive Summary

In April 2020, we reported on a large influx of COVID-19 themed phishing attacks starting in February 2020. With March 2021 marking the one-year anniversary that the World Health Organization declared COVID-19 a pandemic, we revisited the phishing trends we observed in the past year to gain deeper insight into the various COVID-related topics that attackers might try to exploit.

Starting with the set of all phishing URLs detected globally between January 2020 and February 2021, we generated sets of specific keywords (or phrases) that served as indicators for each COVID-related topic, and applied keyword matching to determine which phishing URLs were related to each topic. (To ensure that the matched URLs were indeed COVID-related, we iteratively spot-checked the resulting URLs and refined these keywords/phrases to minimize the incidence of false positives.)

We found that at each step along the way, attackers have continued to change their chosen tactics to adapt to the latest pandemic trends, in hopes that maintaining a timely sense of urgency will make it more likely for victims to give up their credentials.

We found phishing attacks largely centered around Personal Protective Equipment (PPE) and testing kits in March 2020, government stimulus programs from April through the summer 2020 (including a fake U.S. Trading Commission website that posed as the U.S. Federal Trade Commission in order to steal user credentials) and vaccines from late fall 2020 onward (including a fake Pfizer and BioNTech website also stealing user credentials). Of note, we found that vaccine-related phishing attacks rose by 530% from December 2020 to February 2021, and that phishing attacks relating to and/or targeting pharmacies and hospitals rose by 189% during that same timeframe.

Our analysis showed that Microsoft was the brand most targeted by attackers. For example, fake Microsoft pages were set up by attackers to steal credentials from employees at organizations such as Walgreens (US-based), Pharmascience (Canada-based), Glenmark Pharmaceuticals (India-based) and Junshi Biosciences (China-based). We found no evidence that any of these efforts were successful, but are highlighting these cases to make healthcare organizations around the globe aware of this heightened activity targeting their sector, so they can alert employees to be on guard for malicious credential-phishing sites.

We predict that as the vaccine rollout continues, phishing attacks related to vaccine distribution – including attacks targeting the healthcare and life sciences industries – will continue to rise worldwide.

Palo Alto Networks Next-Generation Firewall customers are protected from phishing attacks with a variety of security services, including URL Filtering, DNS Security, Threat Prevention and GlobalProtect.

In addition to these security services, best practices to protect yourself and your organization from phishing attacks include:

For individuals:

  • Exercising caution when clicking on any links or attachments contained in suspicious emails, especially those relating to one’s account settings or personal information, or otherwise trying to convey a sense of urgency.
  • Verifying the sender address for any suspicious emails in your inbox.
  • Double-checking the URL and security certificate of each website before inputting your login credentials.
  • Reporting suspected phishing attempts.

For organizations:

  • Implementing security awareness training to improve employees’ ability to identify fraudulent emails
  • Regularly backing up your organization’s data as a defense against ransomware attacks initiated via phishing emails.
  • Enforcing multi-factor authentication on all business-related logins as an added layer of security.

Phishing Trends

Since January 2020, we have observed 69,950 phishing URLs linked to COVID-related topics, of which 33,447 are directly linked to COVID-19 itself. In Figure 1, we plot the relative popularity of these different topics over time, normalized so that each topic has a peak popularity of 100%. Looking at how the heights of each colored section differs over time, we can see that certain topics have remained steady targets of phishing attacks, while others have experienced more noticeable spikes at various points in time. Pharmaceutical drugs and gathering virtually (e.g. Zoom), for example, have been a relatively steady target of phishing attacks since the start of the pandemic; vaccines and testing, on the other hand, have experienced more defined peaks in popularity.

Covering topics observed in COVID-19 themed phishing attacks. Colored lines represent topics such as gathering remotely, economy and government programs, PPE, pharmacies and hospitals, vaccines, drugs, testing and COVID-19. The graph charts URLs observed from January 2020-February 2021. The y-axis represents the number of new phishing URLs, normalized.
Figure 1. Trends in COVID-themed phishing attacks from January 2020-February 2021 (global).

For the COVID-19 themed phishing pages that were found to be targeting known brands, we determined that the majority of these pages were attempting to steal users’ business credentials: e.g. Microsoft, Webmail, Outlook, etc. Each bar in Figure 2 represents the percentage of phishing URLs that were attempting to steal users’ login credentials for that particular website. (For example, about 23% of COVID-themed phishing URLs were fake Microsoft login pages.) With the pandemic forcing many employees to shift to remote work, these business-related phishing attempts have become an increasingly important attack vector for cybercriminals.

Covering popular targets in COVID-19 themed phishing attacks. The chart orders targets by popularity. Top targets include Microsoft, Yahoo, Webmail, Outlook, PayPal, Google Accounts, LinkedIn, Facebook, USAA, DHL, WeTransfer, SFExpress, Chase, OneDrive, Wells Fargo, Netflix, Excel, AOL, Apple ID and Square.
Figure 2. Top phishing targets in COVID-related URLs (global). Each bar represents the percentage of phishing URLs attempting to steal users’ login credentials for that particular website. (Note that in this figure, we only include URLs that target identifiable brands.)

Furthermore, we notice that with these COVID-19 themed phishing attacks, attackers are constantly creating new websites to host their phishing campaigns. In Figure 3, which shows the age for each website that we found to host a COVID-related phishing page, we can see that many COVID-related phishing pages are hosted on newly created sites (we define this as sites that were first observed fewer than 32 days ago), suggesting that attackers purposefully set up these sites just days before their intended attacks. This gives the attackers the opportunity to craft the message surrounding the attack – as well as the website URL itself – to fit the latest pandemic trends.

Website age (at detection time) for URLs targeted in COVID-19 themed phishing attacks. the x-axis tracks website age at detection time in days, while the y-axis tracks the relative frequency that age was observed.
Figure 3. Age of websites that host COVID-related phishing pages at time of detection (global).

January-March 2020: Initial Surge, Testing Kits and PPE

Between January and February 2020, as COVID-19 began its spread throughout the world, cybercriminals had already begun trying to use the soon-to-be pandemic to their advantage. During this timeframe, we observed a 313% increase in phishing attacks directly related to COVID-19.

In Figure 4, we see an example of a COVID-19 themed phishing attack. The fake Google Form first asks the user to input his or her email address and password in order to participate in a supposed company COVID-19 screening program. In the subsequent pages, the form asks a series of legitimate-sounding health-related questions, e.g. “Since your last day of work, have you had two or more of the following? Chills, Repeated shaking with chills, Headache, Muscle pain, Sore throat, New loss of taste or smell,” to give the impression that the form itself is legitimate. The final question before submission asks the employee to “digitally sign” the form by entering his or her full name.

This fake Google Form first asks the user to input his or her email address and password in order to participate in a fabricated company COVID-19 screening program. The form combines legitimate-sounding health-related questions with questions aimed at stealing the user's credentials.
Figure 4. https://docs[.]google[.]com/forms/d/e/1FAIpQLSdiQL-IcnGqRIKzTVmpeQSBVRrD06c4NolWvgWcdRH-NgBx-A/viewform?vc=0&c=0&w=1&flr=0 (Credential stealing form related to COVID-19 screening.)
From February-March 2020, concern about COVID-19 spreading to the U.S. quickly became prominent. In response to people’s desire to protect themselves and their families, interest in testing kits, PPE such as hand sanitizer and N95 masks, and even essential goods like toilet paper began to rise rapidly.

This chart tracks COVID test kit online interest vs. phishing prevalence. The x-axis represents year and month and ranges from 4/1/2020 to 1/1/2021. The y-axis tracks normalized popularity. The blue line represents COVID test kit interest according to Google Trends, and the red line indicates testing-related phishing.
Figure 5. Online interest in “COVID Test Kit” vs. COVID testing-related phishing prevalence (global data via Google Trends).

These trends are observable in our historical phishing data as well. In February 2020, we observed a 136% increase in PPE-related phishing attacks worldwide, many of which took the form of online shopping scams (see Figure 6 for an example). During the month of March, we observed a 750% increase in phishing attacks related to testing kits, just as The New York Times reported on a shortage of COVID tests across the U.S.

This is an example of a scam website, translated from German to English. The website purportedly offers PPE.
Figure 6. https://atemmaske-kn95-de[.]com (Scam website, translated from German to English).
In addition to these scam sites, we also observed seemingly legitimate testing kit vendors whose websites had become compromised for credential stealing purposes. In Figure 8, we see a fake Microsoft Sharepoint login page that a user would be taken to via a link in a phishing email. The phishing page would ask for the user’s email and Microsoft password in order to view a time-sensitive invoice that had been “shared” with him or her.

This website belonging to a UK-based wholesaler of COVID-19 test kits presents an example of the type of legitimate website that could be compromised for credential stealing purposes in COVID-19 themed phishing attacks.
Figure 7. covid-testkit[.]co[.]uk (A UK-based wholesaler of COVID-19 test kits)
A fake Microsoft Sharepoint login page that a user would reach via a link in a phishing email.
Figure 8. covid-testkit[.]co[.]uk/wp-includes/images/i/Newfilesviewc7c782c3b7c54f958e7eb2efff3a49b28866b4fc22dd46cfbad9e6ac9d0cd18cca873584897b48c88d82ecf5cd62783dServices (Credential stealing page on a compromised COVID-related website)

April-July 2020: Government Stimulus and Relief Programs

In April 2020, the IRS began distributing $1,200 stimulus checks to individuals as a part of the CARES Act. Around the same time, the Paycheck Protection Program (PPP) was put into action, promising to provide relief to small businesses across the U.S. Many business owners scrambled to get a piece of the funds, causing online interest in COVID stimulus and relief programs to surge, and funds to quickly run out.

This chart tracks COVID relief/stimulus online interest vs. phishing prevalence. The x-axis represents year and month and ranges from 4/1/2020 to 1/1/2021. The y-axis tracks normalized popularity. The blue line represents COVID relief interest according to Google Trends, the green line tracks "COVID stimulus" interest, and the red line indicates phishing related to these government programs.
Figure 9. Stimulus programs online interest vs. COVID government stimulus and relief-related phishing prevalence (global data via Google Trends).

Subsequently, we noticed that phishing attacks related to government relief programs increased by 600% in April 2020. In Figures 10-11, we show an example of a phishing page pretending to represent the “U.S. Trading Commission,” a fake branch of the U.S. federal government that the FTC warned about. The website promises up to $5,800 in “Temporary Relief Fund” grants for each individual. Fake statistics are displayed on the right-hand side of the page, giving the user the illusion that there are still billions of dollars left to distribute.

The "U.S. Trading Commission" is a fake branch of the U.S. federal government that the FTC warned about. Pictured here is a screenshot of the website supposedly belonging to the fake government agency.
Figure 10. ungodsirealnighchis[.]gq/us/protecting-americas-consumers-covid/ (Fake website pretending to represent the “U.S. Trading Commission.”)
Upon clicking a button saying “Start Verification Procedure,” the user is redirected to a form asking for their Social Security Number (SSN) and driver’s license number in order to receive these emergency COVID relief funds.

This shows the "data validation form" used for credential stealing in a COVID-19 themed phishing attack related to the fake government agency, the "U.S. Trading Commission."
Figure 11. ungodsirealnighchis[.]gq/us/protecting-americas-consumers-covid/verification.php (Credential stealing form related to COVID government aid.)
After completing the form, the confirmation page simply states: “Your response has been recorded. We will contact you as soon as possible. You may always contact us directly at 213-746-7272 for faster service.” (Note that this phone number is likely fake, since once the user has filled out the form, the attacker would already have the credentials they wanted.)

After the legitimate stimulus and relief programs were put in place, these economic relief-related phishing attacks stayed relatively popular for the months to come (see Figure 9), as many people were still in need of financial support. In Figure 12, we see another credential stealing page asking the user to input personal and corporate information, driver’s license photo and bank account details in order to receive additional relief funds from a “COVID-19 giveaway.” We see a similar example in Figure 13, which promises to send the user a free lockdown fund package of 3000 Indian rupees after inputting their bank account information.

Credential stealing page related to a supposed COVID relief giveaway.
Figure 12. covid-19-benefit[.]cabanova[.]com (Credential stealing page related to a supposed COVID relief giveaway.)
COVID-19 themed phishing attacks occurred globally. This screenshot shows a scam website that promises to send the user a free lockdown fund package of 3000 Indian rupees after inputting their bank account information.
Figure 13. fund4-covid19[.]com (Credential stealing site asking the user to input his or her bank account information in order to receive a limited-time “lockdown fund package.”)

November 2020-February 2021: Vaccine Approval and Rollout

For the next several months, various states settled into a state of on-and-off lockdowns, while people awaited news of a potential vaccine.

In November 2020, after months of anticipation, Pfizer and BioNTech released a promising set of initial results, showing over 90% vaccine effectiveness based on a subset of 94 participants in their real-world trial. In December, the U.S. Food and Drug Administration (FDA) granted emergency use authorization for Pfizer’s mRNA vaccine, after which the vaccine rollout began.

With many Americans now looking for a way to sign themselves and their family members up for immunization, it should be no surprise that cybercriminals would try to use this trend to their advantage. From December 2020 to February 2021, we observed a 530% increase in vaccine-related phishing attacks (see Figure 14).

This chart tracks COVID vaccine online interest vs. phishing prevalence. The x-axis represents year and month and ranges from 4/1/2020 to 1/1/2021. The y-axis tracks normalized popularity. The blue line represents COVID vaccine interest according to Google Trends and the red line indicates phishing related to the vaccines.
Figure 14. “COVID Vaccine” online interest vs. COVID vaccine-related phishing prevalence (global data via Google Trends).

In Figures 15-16, we show an example of a fake website that claims to represent Pfizer and BioNTech, the makers of the mRNA vaccine. The phishing page asks the user to log in with his or her Office 365 credentials, supposedly in order to sign up for the vaccine.

Also note that this phishing website employs an increasingly common technique known as “client-side cloaking.” Rather than revealing the credential stealing form immediately, the website first asks the user to click the “Login” button, in an effort to evade automated, crawler-based phishing detectors.

This is an example of a fake website that claims to represent Pfizer and BioNTech, the makers of the mRNA vaccine. The phishing page asks the user to log in with his or her Office 365 credentials, supposedly in order to sign up for the vaccine.
Figure 15. pfizer-vaccine[.]online (Fake Pfizer website with client-side phishing cloaking.)
Rather than revealing the credential stealing form immediately, the website first asks the user to click the “Login” button, in an effort to evade automated, crawler-based phishing detectors.
Figure 16. pfizer-vaccine[.]online (Credential stealing form revealed after user clicks the “Login” button.)
At the same time as attackers have started to capitalize on the vaccine registration process, they have also increased their targeting of hospitals and pharmacies – organizations that play a significant role in distributing the vaccine. According to a national survey conducted by the American Medical Association (AMA), 83% of physician practices have already been affected by cyberattacks at some point in the past. Now more than ever, we suspect that organizations involved in the production and distribution of the vaccine — a process involving high amounts of time-sensitive and confidential data that could be held for ransom — may be viewed as high-value targets for cybercrime.

From December 2020 to February 2021, we observed a 189% increase in attacks related to pharmacies (Figure 17) and hospitals (Figure 18). Many of these attacks are part of larger clusters of phishing campaigns, where several different URLs are sent to different employees of the same organization (e.g. Walgreens and Madera Community Hospital in California), in the hopes that at least one of the employees will mistakenly input his or her credentials into the fake login page.

From December 2020 to February 2021, we observed a 189% increase in COVID-19 themed phishing attacks related to pharmacies (as in the example shown here) and hospitals (example shown in Figure 18).
Figure 17. https://iwalgreens[.]beardspoles[.]cc (Part of a phishing campaign targeting Walgreens employees.)
From December 2020 to February 2021, we observed a 189% increase in COVID-19 themed phishing attacks related to pharmacies (example shown in Figure 17) and hospitals (as in the example shown here).
Figure 18. afmaderahospital[.]org[.]anjritlah[.]com (Part of a phishing campaign targeting Madera Community Hospital employees.)
Perhaps unsurprisingly, given the global nature of COVID-19, these phishing campaigns targeting pharmaceutical and healthcare companies seem to be prevalent worldwide, not just in the U.S. In Figure 19, we see a phishing attack targeting Pharmascience, the largest pharmaceutical employer in Quebec; in Figure 20, we see a phishing attack targeting Glenmark Pharmaceuticals, a Mumbai-based global drug manufacturer; in Figure 21, we see a phishing attack targeting Junshi Biosciences, a Shanghai-based pharmaceutical R&D firm. In the case of Figure 21, the attackers have set up a fake login page posing as SF Express (a Chinese multinational delivery and logistics company), indicating that the attackers may have been trying to steal information related to Junshi’s international supply chains.

A phishing attack targeting Pharmascience, the largest pharmaceutical employer in Quebec.
Figure 19. afpharmascience[.]com[.]oceantrimtex.com (Part of a phishing campaign targeting employees of Pharmascience, Quebec’s largest pharmaceutical employer.)
A phishing attack targeting Glenmark Pharmaceuticals, a Mumbai-based global drug manufacturer.
Figure 20. droidfreedom[.]com/wp-includes/SimplePie/filamora/negwtod/REDACTED@glenmarkpharma.com (Part of a phishing campaign targeting Glenmark Pharma, a Mumbai-based global drug manufacturer)
A phishing attack targeting Junshi Biosciences, a Shanghai-based pharmaceutical R&D firm.
Figure 21. Junshipharma-9107214068[.]parnian-distribution[.]com (Part of a phishing campaign targeting employees of Junshi Biosciences, a Shanghai-based pharmaceutical R&D firm.)
In certain cases, we also observe legitimate pharmaceutical companies whose websites have been compromised and used for phishing purposes. In Figure 22, we can see that pharmalicensing[.]com, a website belonging to a company that helps connect businesses across the life sciences industry, had been compromised and used to host a phishing page for stealing users’ business credentials. These sorts of attacks can be particularly dangerous, as the legitimacy of the original website may trick users into incorrectly thinking that the phishing page is also legitimate.

pharmalicensing[.]com, a website belonging to a company that helps connect businesses across the life sciences industry, had been compromised and used to host a phishing page for stealing users’ business credentials.
Figure 22. pharmalicensing.com/stone/excelzz/bizmail.php (A compromised website from Pharmalicensing used for credential stealing.)
With the global vaccine rollout still very much in-progress, we expect that attacks related to the vaccine – and attacks targeting corresponding industries – will continue to rise as vaccine production and distribution continue to scale up over the coming months.

Conclusion

At various points during the COVID-19 pandemic, we have seen attackers shift their focus from one topic to another depending on the current state of events. In the early stages of the pandemic, testing kits and PPE were a significant area of focus for attackers. The focus then shifted to government stimulus and relief programs, before pivoting again to the vaccine rollout. As we have seen, attackers continually adapt to the newest trends. As a result, cybersecurity defenses must adapt as well.

Individuals should continue to exercise caution when viewing any emails or websites claiming to sell any goods or services or provide any benefits related to COVID-19. If it seems too good to be true, it most likely is. Employees in the healthcare industry in particular should view links contained in any incoming emails with suspicion, especially from emails trying to convey a sense of urgency.

General best practices to protect yourself and your organization from phishing attacks include:

For individuals:

  • Exercising caution when clicking on any links or attachments contained in suspicious emails, especially those relating to one’s account settings or personal information, or otherwise trying to convey a sense of urgency.
  • Verifying the sender address for any suspicious emails in your inbox.
  • Double-checking the URL and security certificate of each website before inputting your login credentials.
  • Reporting suspected phishing attempts.

For organizations:

  • Implementing security awareness training to improve employees’ ability to identify fraudulent emails
  • Regularly backing up your organization’s data as a defense against ransomware attacks initiated via phishing emails.
  • Enforcing multi-factor authentication on all business-related logins as an added layer of security.

For more specific suggestions that individuals and organizations can use to protect themselves, see “COVID-19: The Cybercrime Gold Rush of 2020.”

In addition to these general best practices, Palo Alto Networks Next-Generation Firewall customers are protected from these threats in multiple ways:

To learn more about how Palo Alto Networks can help protect your organization during the pandemic, please see our response to COVID-19.

Acknowledgements

The author would like to thank Wei Wang, Wayne Xin, Jingwei Fan, Yu Zhang, and Seokkyung Chung for providing several data sources that were used in the analyses, and Jun Javier Wang, Kelvin Kwan, Vicky Ray, Laura Novak, Jen Miller-Osborn, Eddy Rivera and Erica Naone for their help with improving the blog.

Indicators of Compromise

COVID-19

covid-19-benefit[.]cabanova[.]com
abccoronavirus[.]online
cpvqapyxmr[.]covid19coronaca[.]net
sign-amazonsnews-alert[.]peduli-covid19.com

Vaccines

vaccine-sarscov2[.]online
sarscov2vaccine[.]online
universalvirusvaccine[.]com
pittsburgh-coronavirus-vaccine[.]online
nhs-vaccination.com
pfizersupply.eu
covid-19vaccine[.]uscis-gov[.]online

Testing

covid-testkit[.]co[.]uk/wp-includes/images/i/Newfilesviewc7c782c3b7c54f958e7eb2efff3a49b28866b4fc22dd46cfbad9e6ac9d0cd18cca873584897b48c88d82ecf5cd62783dServices
sarscov2-test[.]online
y2down[.]xyz/unreadmessages/testkits

PPE

maskacoronavirus[.]online
maskakoronawirus[.]online
malibumasks[.]com/.offce365/?
cloroxus[.]com
www[.]lysolmz9[.]top
atemmaske-kn95-de[.]com

Drugs and Pharmaceuticals

veklury-covid19[.]online
covid19-veklury[.]top
remdesivir-covid19[.]online
covid19-veklury[.]online
covispharmac[.]com
walgreens[.]mcroficatellc[.]com

Pharmacies and Hospitals

jyhhospitaljp[.]com
neelkantcollegeofpharmacy[.]com/images/icon/invntce/shoffpro/sharepoint/verification.php
www[.]afbiohavenpharma.com.dailyoffercode.com
www[.]afamagpharma.com.dulcerialamejor.com
www[.]afbiohavenpharma.com[.]diasahabatku[.]com
www[.]afbiohavenpharma.com[.]besttodaymart[.]com

Economy and Government Programs

disvey[.]ir/authcovid-19reliefgov
covid-stimulus-payment[.]gov[.]free-inhabitant[.]com

hellos[.]tcp4[.]me/Standard-Bank-Online-Relief-Funds-UCount-onlinebanking.standardbank.co.za-direct-login/Standard%20Bank%20Online%20Banking.htm
hmrc[.]covid[.]19-support-grant[.]com
fund4-covid19[.]com
furlough-grant[.]com
covid19emergencyfinancialrelief[.]com

Gathering Remotely

zoominceinvite[.]s3[.]amazonaws[.]com/invitezoom08.html
bit[.]ly/zoomtroubleshoot
us02web[.]zoom[.]us[].]coremailxt5mainjsp[.]com
incoming[.]zoomcallrequest[.]org
zoom-free1[.]com
zoommeetinactivation[.]web[.]app