A recent report from security firm Inky highlights new phishing scams making the rounds that appear to come from the White House. In other times, these scams might be something of a clumsy sideshow. But in these strange times, there appears to be enough suspension of scrutiny for them to be finding targets.
In addition to appearing sufficiently authoritative to take in a significant number of victims, these new phishing scams are also noteworthy in that Inky attributes them to Russian hackers.
Exploiting a lack of White House guidance
The first of the new phishing scams appears to come from the White House, bearing the signature of President Donald Trump.
The phishing scam email purports to come from a fictional White House official, making use of a spoofed return email address. The example that Inky published came from a “Valentina Robinson”; there is no known public official by that name.
The email is full of grammatical red flags right from the start, with a title proclaiming “The White House Instruction for coronavirus.” It also opens by announcing that “the quarantine will be prolonged until August 2020”; there is no Federal quarantine order, only recommendations that states and localities opt to follow as they see fit. The email also errantly claims that the Federal tax filing deadline has been extended to August 15, when the real extension is only to July 15.
The grammar, structure and factual errors are enough to indicate that this is a likely phishing scam. However, it all might appear plausible enough to those who trust in the legitimacy of the return address and skim the email contents to get straight to the link.
The link leads to a much more competent copy of the official White House coronavirus information site. But when the target clicks on the “download and read full document” link, they’re given a Microsoft Word file that launches malicious macros once the “editing” and “content” features are enabled. The macros then attempt to download malware that steals personal information from the system.
An alternate but similar phishing email, presumably from the same attackers, tries to entice users to download the document by promising new developments in slowing down the spread of the coronavirus.
This attack may be related to a similar White House phishing scam making the rounds in which Vice President Mike Pence appears to be trying to shakedown the reader. The email targets companies and claims that Pence just got out of a security meeting regarding the business, and wants a Bitcoin bribe to not bring charges of human trafficking and drug dealing.
Though these attempts at extortion scams might seem laughable under other circumstances, they are no doubt aided in part by the White House issuing information that is sometimes confusing, contradictory or incomplete. People who are anxious and lacking good guidance are more likely to be baited into a phishing scam that looks official enough. And as Erich Kron, Security Awareness Advocate for KnowBe4, notes adverse conditions can cause people to make otherwise unfathomable mistakes: “In the case of the emails purportedly sent from Mike Pence to business owners, this is also an attack on emotions, as many business owners are currently under stress either because their sales are down, or in some cases because they are more busy than they ever have been depending on the industry … While in both of these cases, there are glaring grammar and spelling errors, when placed under stress, people may not notice these. This is why it’s so important whenever an email, text message, or even phone call causes an emotional response, to step back for a moment, take a breath and look very critically at the situation. Attackers use our emotions to bypass critical thinking.”
A golden age for phishing scams
Phishing scam attempts are way up during the coronavirus safety measures, with much of the world’s population spending their days online and working from home computers that have less in the way of security than corporate networks.
These conditions are causing a general cyber crime wave, but phishing scams that target email accounts appear to be the most common attack type and also appear to be enjoying the biggest boost in success rates.
The Inky report indicates that recent phishing scams appear to be making heavy use of templates based on a similar body text, a phenomenon the company calls “Coronaphish.” It would thus be reasonable to infer that opportunistic criminals are making use of the relatively low prices for prefab phishing kits (available on the dark web for as little as $20), and that many of these attempts are coming from actors that are not particularly sophisticated.
While it’s possible that a group linked to the FSB is behind the White House phishing emails, it doesn’t seem particularly likely that these are government-backed hackers given the lack of sophistication and easily correctable mistakes. Petty criminals in Russia are unofficially given quite a bit of freedom to hack for profit and run these sorts of phishing campaigns, so long as they stay outside of national borders and don’t cause problems for the government.
As Paul Bischoff, privacy advocate with Comparitech, points out, even a more sophisticated White House phishing scam should be easy to detect: “The U.S. federal government doesn’t make unsolicited contact via email, so disregard any emails purporting to be from the White House or other government departments. Never click on links or attachments in unsolicited emails.” The government generally makes announcements such as these through websites and regular televised briefings, and counts on mass media coverage to disseminate the information to the public.
And as Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, points out, there is one very simple trick for defeating any phishing scam attempt that relies on impersonation of an established organization or person: “Now more than ever consumers should utilize “trusted paths” such as going to those organizations’ websites directly rather than clicking a link or opening an attachment in an email to access important information about the pandemic.”