Research Saturday 4.18.20
Ep 131 | 4.18.20

How low can they go? A spike in Coronavirus phishing.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:25] Thanks for listening to the CyberWire's Research Saturday podcast. Today, I want to reach out to those members of our audience who are students or serve in the military. Did you know that the CyberWire has special CyberWire Pro subscription offers just for you? Well, you do now. Because of your student or military status – that's active or reserve military status – you are able to subscribe to CyberWire Pro or CyberWire Pro Plus at a significant discount. That means you can unlock access to our Focus Briefings, exclusive podcasts, Quarterly Analyst Calls, premium articles, and much more. To learn more, visit, and click on the "Contact Us" button in the "Academic or Government and Military" box at and then click "Contact Us" in the box that applies to you, and we'll hook you up. Thanks again for listening to Research Saturday.

Fleming Shi: [00:01:21] When we picked up on the coronavirus-related attacks, we just saw a spike, which got us to a point where we wanted to make sure people were aware, because the spike is pretty severe.

Dave Bittner: [00:01:34] That's Fleming Shi. He's Chief Technology Officer at Barracuda Networks. The research we're discussing today is titled, "Threat Spotlight: Coronavirus-Related Phishing."

Fleming Shi: [00:01:44] Some of the attacks seem to be focused on logistics. As you know, moving medical equipment, healthcare equipment, is very important during this time, so we wanted to make sure we make some noise about it, make sure people are paying attention.

Dave Bittner: [00:02:01] Well, let's go through what to published here together. As you mentioned, you've got quite a spike here. Take us through some of the numbers. What are you tracking?

Fleming Shi: [00:02:12] Absolutely. So, this report is covering the data that we have seen from March 1st to the 23rd. And we saw, you know, obviously, hundreds of thousands of spearphishing email attacks. But we also saw about nine thousand of those are actually related to COVID-19. And to numbers that we have seen in the past, it's over six-hundred percent increase. So, if you look at this in the report, we also talk about sort of the type of attacks are intense, right? So they're scamming, brand impersonation, and blackmailing, even. And obviously, some business email compromise as well.

Fleming Shi: [00:02:56] So, some of these numbers here that we have seen, we're still monitoring, so in the future, hopefully we can provide an update on this. But generally, we saw a very large increase. And you can see more than half – it's actually scams that's out there. And, you know, even in the recent days after the report, we've seen other types of scams related to vaccines and fake treatments and things like that. So, I just wanted to cover those numbers – I believe those are very important. And also, just think through the type of attacks that are involved here, you know, they're varied. So, but those are the numbers.

Dave Bittner: [00:03:36] Well, let's go through it and dig in. What are some of the attacks that you're seeing? Can you share some of the specifics with us?

Fleming Shi: [00:03:42] Sure. Absolutely. So there's the impersonation of the World Health Organization, right? So you can see they're pretending to be the World Health Organization, which means people are going to pay some attention to it, especially during this kind of crisis. There are a lot of fear-driven types of attacks like that. And the other type that I feel is really kind of low – how low can they go? – on the bad guy side, they're using, like, almost blackmailing, saying, hey, if you don't pay ransom, we're going to infect your relatives and your loved ones or your friends. To me, that's really kind of touching the subject in a very aggressive way, because, you know, Maslow's hierarchy of needs – first layer is really physiology. People are obviously scared of the virus and they want to get sick, and if you're throwing out these kind of attacks which targets your family and friends, that is the next level of evil, right?

Dave Bittner: [00:04:51] Yeah.

Fleming Shi: [00:04:52] So I think that's really important.

Dave Bittner: [00:04:55] Yeah, I mean, it really is remarkable how they can take advantage of everyone's fear and anxiety, and in many ways that short-circuits our thinking process. It keeps us from sometimes rationally thinking about the information they're sending us or the actions they're asking us to take.

Fleming Shi: [00:05:13] Yeah. And what is really crazy as well is that, well, I think somewhat predictable – but what they have done is, in the email, they don't – some of these blackmails or scams don't even have any links or attachments to infect your computer or systems or your network. But it's really about scaring you to do something. They will present the Bitcoin information and then you go wire – or you get your Bitcoin as a ransom payment. So, in many ways, it's really kind of – I would say much harder to detect, because it requires a sentiment type of detection capabilities and understanding intent of the email, less about what link it leads to or attachments that it could hurt your system with. So, it's harder to defend, you know. But I obviously want to point that out. But we obviously catch them – our system catches them, but generally, I believe people need to pay attention to that.

Fleming Shi: [00:06:15] The other type of attack that was really – like I mentioned earlier – is pretty serious. It's really targeted, and maybe it's ransomware that goes into your system. One example we highlighted, it was related to a shipment. It's something related to logistics. So, imagine you have to procure a large amount of medical equipment. You'll be tracking certain things. This type of attack will be effective against folks who are really trying to move goods, medical goods. In this situation, it was actually Pony Stealer that sits behind a document or attachment, an email attachment. And obviously, that's also very easy to fall for if you're in the midst of moving a lot of the equipment to help people, right?

Dave Bittner: [00:07:09] Right.

Fleming Shi: [00:07:09] So, people are getting anxious.

Dave Bittner: [00:07:11] Yeah. One of the ones you track here – you have an example of someone using a premise of an invoice, and it reads – it says, "Good day, with the current impact of COVID-19, the coronavirus impact, we would like to know the production delivery status of our orders with you. Kindly fill the details in the attached template for each of the given orders which is pending to ship and send to us by tomorrow. Awaiting your priority cooperation." This looks fairly run-of-the-mill, but by, I suppose, tossing in that COVID-19 element, it sort of grounds it in reality.

Fleming Shi: [00:07:47] That's right. And really, it's designed to get people to open that file and tried to fill out a form, or something related to that. And if you think about this, you know, they may be targeting the supplier, they might be targeting the folks who are actually handling the transfer of the goods. So, all these things are designed to cause, you know, havoc in a situation where it will slow down the response and slow down the caretaking of victims.

Dave Bittner: [00:08:21] Yeah. Another thing you're tracking here is credential theft. Can you share some of the details of that with us?

Fleming Shi: [00:08:28] Absolutely. So, credential theft is not new, but we start to see a spike as well. What's really happening is, they're impersonating your Office 365, or your login – your SaaS app's login infrastructure, where you – when you are clicking on a link to get into the app, it will actually hijack that by mimicking your login screen for your application. Obviously, this is hosted on the attacker's side – it's not something that's truly Office 365. They just made a copy of it, screen scrape, and making it look as real as possible. From there, they will harvest your username and credentials, because you will be typing username and password if you're not careful.

Fleming Shi: [00:09:16] So in this situation, actually, the best defense is MFA. So, if you always turn on your multi-factor for all the SaaS applications, regardless if you lose your password, there's this second factor to actually authenticate the user to get into the app. This is really important. So, a lot of times we have seen attacks utilizing legitimate infrastructure, like Google API, for example. It's the infrastructure being weaponized multiple times. People actually host the Office 365 login app in there, and they're harvesting. So obviously, we always report to the folks at Google. But, you know, it's important to pay attention, because these things do come up quite rapidly. They bring it down once they've finished their campaign. So, it's important to pay attention to where you are logging into. In this case, you can see the URL doesn't look normal.

Dave Bittner: [00:10:15] Now, on the detection side of the equation here with the types of tools that you and other providers are making available, are these attacks – are these attempts just variations on established themes? Are they still getting flagged as some of the tried-and-true things that you all are used to detecting, or are they new from the outset? 

Fleming Shi: [00:10:42] The ones that's really fresh, or basically more effective are the ones that is using intent or fear-driven type of attacks, right? There's no links. There's no attachments. Scanners that sandbox the email or the parts of the email is not going to be able to detect there's a malicious payload, for example. It's really about the intent that's involved in the conversation. And some of these conversations are really – especially during the COVID-19 situation – it's fear-driven. So, people are going to naturally take action to be more aggressively.

Fleming Shi: [00:11:16] And, you know, based on that, requires a type of – overused term – but AI-driven capabilities to actually identify whether this communication is normal or not. And this goes around whether, you know, the user has seen this emailer, or the type of conversation that it's having – is that normal? And this is really done by providing a really strong social graph type of capability to understand your user community. Who they communicate with, how do they communicate, and when do they communicate? And what type of topics? And from there, we're able to sift through, you know, normal emails as well as attacks and identify the ones that are really malicious.

Fleming Shi: [00:12:02] So I think the key here is to have a solution that's additive to normal advanced threat protection type of solution you have, or tool you have. Doesn't matter – you know, it doesn't have to be Barracuda. You could have – Microsoft has Defender, they have different type of ATP as well, and other vendors. But you need something on top of that to really detect the intent and really the reason why this email came came about, and what is being talked about. So that's really the tough part.

Dave Bittner: [00:12:39] And I suppose, also, there's an element of this that's – you know, communication with your employees to just have awareness that these sorts of things are on the rise and they need to be extra vigilant.

Fleming Shi: [00:12:52] You're absolutely right. And so one of the advice that's being given is that – you know, we're practicing social distance between human beings, right? We should also practice social distance between your devices. The reason for that is that you may be using your personal email or personal application that's not related to work, and you need to keep that segmented or separated from your professional tools. Because not every personal email has the capability that basically allows you to stop this type of threat. So, that type of attack could infect your tools for your work.

Dave Bittner: [00:13:37] Our thanks to Fleming Shi from Barracuda Networks for joining us. The research is titled, "Threat Spotlight: Coronavirus-Related Phishing." We'll have a link in the show notes.

Dave Bittner: [00:13:47] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team working from home is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.