CDC, IRS and other federal sites spoofed in global phishing scams

In the latest sign that the coronavirus pandemic is being seized on by scammers, fraudsters and cyber criminal groups, new research from Proofpoint has identified numerous phishing email campaigns over the past two months, some of which impersonated and spoofed websites from federal agencies, international governments and public health organizations involved in COVID-19 relief.

The company said it has tracked more than 300 such campaigns as well as a number of multi-page phishing templates that mimic the websites of agencies like the Center for Disease Control, Federal Emergency Management Agency, IRS, and the White House in order to steal user banking credentials. The templates and emails number in the hundreds of thousands and were collected through internal research and Proofpoint's email security software. Sherrod DeGrippo, Proofpoint's Director of Threat Research and Detection, told FCW in an interview that the templates make up number of common phish kits that can allow scammers with little technical knowledge to carry out their operations at scale.

Many of the emails used the COVID-19 outbreak to entice users to hand over their banking credentials in order to receive their stimulus checks. The campaigns targeted both Americans and international users, with some websites impersonating the World Health Organization, the Her Majesty's Revenue and Customs (the tax collection agency in the U.K.) and the French government.

One email sent to FCW by researchers and not included in their published blog purports to be from the Federal Reserve, touting that its "Protection Program" was fully operational and available to provide payments to economically distressed Americans. It lists a phone number with a Washington D.C. area code for media inquiries and specifies that requests for payments "must be received no later than 45 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER." In reality the email, sent to approximately 100,000 people, provides users with a link to a spoofed site where they can enter their banking information.

Another example sent by researchers shows a website template for coronavirus financial help that promises to sign users up for their stimulus checks "with 1 click" and contains a drop-down menu to enter credentials for their chosen bank. Bizarrely, the site contains mimicked logos for the White House, the Centers for Disease Control and Prevention and the Federal Emergency Management Agency (though not the IRS, the agency charged with dispersing the checks) all on the same page.

A common theme for almost all the campaigns was an effort to leverage interest in the COVID-19 pandemic, but DeGrippo said the actors otherwise adopted a general "spray and pray" strategy for victims, with little apparent focus on specific individuals or industries.

"They loaded up the spam cannons, shot them out there and hoped for the best," said DeGrippo. "It's a tactic that also works. I don't think not being super targeted is any indication that it's not effective or that the threat actor is not equipped. Getting 100,000 messages out [over four days] is not an easy feat."

Even as threat intelligence companies and federal agencies have tracked an explosion of coronavirus-themed scams online in recent months, DeGrippo said that observed credential phish activity has not increased significantly during the pandemic, indicating that it is existing actors shifting their tactics rather than an increase in the overall threat ecosystem.

"Comparatively over the past several years, volumes of credential phish specifically haven't moved [over the past few months] in ways where we thought 'Oh my gosh there's this huge volume increase,'" she said. "What we are seeing is that a threat actor might normally send a credential phish for banking details [and] the shift now is they're going to wrap that attempt…in a premise around COVID-19."

Federal agencies like the IRS, the Cybersecurity and Infrastructure Security Agency and the FBI have all warned of a shift in recent months by cyber criminals to profit off increased attention surrounding the pandemic. In particular, experts have worried that the rush by the IRS to process and disperse hundreds of billions of dollars in stimulus relief to Americans has left the program vulnerable to fraud.

Adding to the confusion, the IRS website where Americans can check on the status of their stimulus payments received criticism for its functionality during the initial weeks after passage of the CARES Act, with some users reporting online and on social media that the site did not recognize their taxpayer information and that small differences -- like not writing their full name in all capital letters -- can trip up the system and return an error message.

The IRS updated its "Get My Payment" tool in late April to fix the error, but the inability to access their information on the official IRS website could have left users more susceptible to exploring quicker solutions offered by scammers. The agency "Frequently Asked Questions" page warns users to be on the lookout for emails and links asking for banking information related to their checks and on May 18 announced it had added another 3,500 phone operators to field questions from taxpayers about their stimulus payments.