Phishing

6 most sophisticated phishing attacks of 2020

April 27, 2021 by Patrick Mallory

Any time there is a large disruption in our daily life, cybercriminals jump to the chance to engage in new forms of social engineering attacks. One of the most common is phishing, a nefarious play on the word “fishing,” where attackers work to trick a victim into giving up personal information, financial details or even credentials and passwords to use in larger cyberattacks, to harvest for the dark web or to commit a form of fraud. 

Whether posing as a legitimate business, an official government agency or even a colleague or non-profit, these attacks use a wide range of sophistication, skill and tenacity to trick their victims.

Sadly, in the face of the economic, social and public health tragedy tied to the COVID-19 global pandemic, 2020 saw no respite for victims already struggling with a lot on their plates. Some studies noted a 220% increase in phishing incidents compared to 2019, fueled by so much of the population moving to a work from home or distance learning model. At the same time, 2020 also saw an evolution in the sophistication of the usually juvenile form of cybercrime, demonstrating the planning, skill and persistence of some groups to create elaborate phishing schemes. 

Here is a roundup of six of the most sophisticated and unique phishing attacks of 2020.

1. Fake virtual meetings

As remote work took off in early 2020, hackers seized on the opportunity to create phishing campaigns targeting users leveraging popular virtual meeting technology. 

In April 2020, the FBI sent out an alert warning that cybercriminals were targeting businesses and healthcare workers using fake Zoom and Skype meetings, sending them emails that looked very familiar to legitimate invitations. In one of the more nefarious versions of this phishing attack, cybercriminals send out meeting invitations using words like “termination” and “crucial HR meeting” to enhance the emotional reaction of victims to click past suspicious content, drawing on the large layoffs occurring early in the year. 

Once a user clicked to join the meeting, the fraudulent website recorded the user’s actual credentials to the services. The cybercriminal then used the information to further the legitimacy of their phishing campaigns, or worse.

More sophisticated campaigns involving Google Meet, Zoom and Microsoft Teams saw cybercriminals registering domains using an “.app top level domain” to create “carbon copy” landing pages that even use HTTPS to trick security products and even observant users. According to one analysis by Checkpoint, new domain registrations with names involving “Zoom” increased by more than 1,700 in just a few weeks.

Cybercriminals furthered the urgency of the phishing attack with notification tied to emergencies and even personalized appeals. And, adding a new level, cybercriminals even began to target classrooms, registering domains that include typosquatting Google Classroom.

2. Manor Independent School District

Right at the beginning of the new year, a small, 9,000 student school district in Texas announced that they were partnering with local police and the Federal Bureau of Investigation (FBI) to investigate how a yet to be identified cyberactor was able to successfully pull $2.3 million out of an account related to the district. 

While details about the case are light, the target and the financial impact demonstrate a potentially new and dangerous breed of theft that could quickly gain more prominence. The only publicly available details point toward the attacker using phishing techniques to pull financial and user account information from victims to perform three separate bank transactions. Today, over a year later, the school district has only been able to recover about a third of the money they lost.

3. The Ritz Hotel

Despite the steep decline in travel and vacations, the Ritz Hotel in London fell prey to a phishing scam during the summer of 2020.

The attack, which led to a data breach, included scammers posing as hotel staff obtaining personal and financial information after separately breaking into the location’s “food and beverage reservation system.” Using details about their upcoming reservations and phone number spoofing technology, cybercriminals reached out to customers to request them to confirm their payment card details. In one case, the scammers used the information to make small purchases from local retailers.

4. U.S. Army Recruiting Command

In a unique instance of cybercriminals seeking to profit off of rising military and geopolitical tensions, the United States Army Recruiting Command and Federal Selective Service System found themselves spoofed in early 2020. 

Feeding off of the rising tension between the United States and Iran during the winter of 2019 and 2020, cybercriminals phished recipients with malicious links through emails and text messages claiming that if the reader did not pay a fee, register in an online system or fill out a form, that they would be subject to a U.S. military draft. 

5. COVID-19 relief and stimulus payments

After the United States Congress approved COVID-relief packages and stimulus payments to large numbers of Americans, cybercriminals again jumped on the opportunity to phish unsuspecting victims via text message.

In November 2020, the Internal Revenue Service, state governments and industry groups began to notice a phishing scam teasing recipients with a $1,200 “economic impact payment” from the “COVID-19 TREAS FUND.” The scam worked by telling recipients that “further action is required to accept this payment into your account. Continue here to accept this payment …” Upon clicking the link, a website that spoofed the IRS.gov “Get My Payment” website was displayed and prompted victims to provide their personal and bank account information.

6. Imitation of official public health services

Rounding out our list of sophisticated and unique phishing attacks of 2020 involves cybercriminals spoofing organizations like the U.S. Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO).

At the beginning of the pandemic, one phishing email showed attackers sending out malicious links and PDF documents claiming to be from the WHO or the CDC providing information on “how to protect yourself from the spread of the disease.” The email then listed links that also claimed to be extra safety measures. The attackers then attempted to download malware on the user’s computers from the poorly-crafted landing page or when they downloaded the attachment.

IBM, Sophos and Kaspersky found similar phishing attacks in Asia using the same technique of emailed letters imitating the CDC, urging readers to open a page that contains information about outbreaks near where they live. Upon clicking the link, users are shown a Microsoft Outlook online log-in portal, prompting users for their log-in information. The attackers then used the information to go through victims’ email accounts.

Staying on top of current phishing attacks

As if the personal, professional and health challenges of the year were not enough, cybercriminals took advantage of the unusual events to ratchet up their malice. Unfortunately, phishing attacks like these, and many others that occur every day, show that cyberattackers are showing no signs of stopping, especially when the risks are far outweighed by the potential financial benefits they could achieve. 

 

Sources:

2020 Phishing and Fraud Report, F5

Hackers imitating CDC, WHO with coronavirus phishing emails, TechRepublic

Watch Out for Coronavirus Phishing Scams, WIRED

IRS warns people about a COVID-related text message scam, IRS

How Iran’s Hackers might Strike Back After Soleimani’s Assassination, WIRED

Phishing warning, @SSS_gov

Army recruiting discredits military draft texts, U.S. Army Recruiting Command

Ritz London suspects data breach, fraudsters pose as staff in credit card data scam, ZDNet

Manor ISD recovers $800,000 after millions stolen in phishing scam, FOX 7 Austin

Texas school district falls for email scam, hands over $2.3 million, ZDNet

COVID-19 Impact: Cyber Criminals Target Zoom Domains, Check Point

New COVID-19 Phishing Campaigns Target Zoom, Skype User Credentials, Health IT Security

New Phishing Attacks Prey on Job Loss Fears With Fake Zoom Meeting Invites, Forbes

Cybercriminals Targeting US Providers with COVID-19 Phishing Attacks, Health IT Security 

Posted: April 27, 2021
Articles Author
Patrick Mallory
View Profile

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program. Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.

Leave a Reply

Your email address will not be published. Required fields are marked *