[HEADS UP] Cybercriminals Launch Phishing Campaign to Capitalize on President's Health

phishing campaign president donald trump covidAs we predicted just a few days ago, malicious actors are now exploiting the media firestorm surrounding President Donald Trump's diagnosis late last week with COVID-19.

Yesterday customers using the Phish Alert Button (PAB) reported a phishing campaign attempting to capitalize on the news of Trump's health situation.

The email is matter-of-fact and to the point, sticking fairly close to themes already established in many mainstream news reports. No ridiculously hyperbolic claims here.

The email offers potential marks an embedded link pointing to a file on Google Docs and suggests that unwitting clickers will be provided a password-protected file of some sort. The file on Google Docs, however, merely provides a redirect to yet another file hosted on download2112.com, a domain created the very day we spotted this phishing campaign (10/6/2020).

Note: HybridAnalysis has a report on a domain (getfile24.com) that it appears to be related to download2112.com.

Curiously, that second file is currently redirecting to a Russian Bitcoin site:

Whether that is or was the intended destination from the get-go is not clear. Perhaps there was a password-protected file at some point that was subsequently taken down. Perhaps there wasn't.

Update (10/09/2020): As it turns out, security researchers were able to get to the bottom of this particular phish. The Google Docs landing page does (or did) indeed lead to the download of BazaLoader, a trojan downloader that pulls down additional malware and effectively establishes a backdoor on the infested machine. (We likely got shunted to that Russian Bitcoin site because the download2112.com site did not like something about the test platform we happened to be using.)

Whatever the case, Google has now started taking down some of the intermediate files hosted on Google Docs:

This malicious campaign uses a variety of very similar emails with a narrow range of closely-related Subject: lines, including:

  • The things you don't know related to Trump's current health state
  • Things you do not know pertaining to Trump's existing health status
  • Most recent details pertaining to Trump's illness
  • Latest details related to Trump's situation
  • Something you don't know regarding Trump's present-day health condition
  • Most up-to-date details related to Trump's situation
  • Latest material about Trump's condition
  • Most up-to-date info about Trump's illness

If you needed yet another reminder that the bad guys can be very aggressive in exploiting alarming headlines, this would be it. And we expect there will be plenty more where this one came from.

This phishing campaign should also serve as a reminder that your employees and users need to be stepped through New-school Security Awareness Training ASAP. They are, of course, the intended targets for this kind of maliciousness, and some of them could very well be just curious enough to click.

And don't be fooled: mere curiosity can indeed kill your organization.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews