Researchers at Fortinet have identified a spear phishing campaign targeting medical suppliers with COVID-19-themed emails. The emails contain choppy grammar, but the message is clear enough that an employee might be induced to open the malicious attachment.
“Good Morning!” the email states. “I tried calling earlier but no one was on the phone, so I resulted in getting email contact from your corporate business website....With respect to the global COVID-19 pandemic, we would like to inquire for a quite bulky list of pharmaceuticals and medical devices to cope with current high demand. Please include detailing as organised in Word Document and revert us with shipping and payment terms as well.”
The email used in this campaign contains some glaring typos that may have tipped off observant recipients. The email’s subject line refers to “Medical Sipplies,” and the title of the attachment is “Meducal Inquiry.” The attackers also exhibited poor operational security, allowing Fortinet to tie them to an earlier 419 scam campaign.
Fortinet notes, however, that the attachments deliver the Agent Tesla infostealer, a popular remote access Trojan sold on the black market. The researchers say this highlights a trend in which unsophisticated attackers are able to up their game by purchasing malware from more advanced criminals.
“Since security professionals have been conditioned to spot 419 scams, the individuals behind them have realized that they must evolve in order to expand their reach,” the researchers explain. “Because of the availability and ease of use of commodity malware, we have observed these attackers becoming a little more sophisticated by their use of Agent Tesla, as well as the use of other known commodity tools to make their plans a little less obvious.” A 419 scam is an advance-fee scam, also known as a “Nigerian Prince” scam. The number 419 refers to the section of the Nigerian crimianl code that outlaws this particular form of fraud.
“Sipplies” and “Meducal” are obvious misspellings, but it’s worth noting that many phishing emails don’t contain any grammatical errors or misspellings, so employees need to follow some security best practices to avoid falling for these attacks. In addition to implementing technical defenses, Fortinet recommends employee training as an essential layer of defense.
“Organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks,” the researchers write. “Employees should also be reminded to never open attachments from someone they don’t know, and to always treat emails from unrecognized/untrusted senders with caution. Further, because of its manner of distribution, it is crucial that end users are educated to spot social engineering attacks by training, and through the delivery of impromptu tests via email sent surreptitiously from the security team.”
New-school security awareness training can teach your employees to recognize the warning signs of social engineering, as well as educating them about the various tactics used to install malware.