Introduction

As the world faced the COVID-19 pandemic, threat actors saw an opportunity to exploit the crisis. Phishing campaigns leveraging COVID-related themes surged, preying on fear and uncertainty. In understanding these campaigns, you’ll find that they typically employed relatable and urgent messages, spoofed email addresses, seemingly credible domains, and carefully crafted email bodies. Successful campaigns made these elements appear legitimate, bypassing the target’s basic filters of suspicion. Let’s delve into the anatomy of such phishing campaigns and decipher what made them effective.

Subject Lines

The subject line of an email is your first chance to grab attention and induce urgency. During the pandemic, these lines often promised critical information, flouting official tones to evoke a sense of urgency.

• Basic: “COVID-19 Update: Important Information”
• Advanced: “HR: Immediate COVID-19 Policy Update Required”
• Expert: “Re: Please Review – New Office Protocols Effective Tomorrow”

Using an established communication thread by inserting ‘Re:’ lends an air of continuity and legitimacy that decreases likelihood of skepticism.

Sender Patterns

The sender’s address often includes subtle manipulation to appear authentic. This might involve slight alterations in domain names or employing legitimate-looking personal names.

• Basic: no-reply@covidupdates.com
• Advanced: john.smith@companycovidresponse.com
• Expert: jane.doe@linkedin-support.co

A well-crafted sender pattern mimics a company’s structure or uses familiar names to forge deeper credibility.

Domain Construction

Domain names are particularly important as they lend credibility. Attackers often use lookalike domains to deceive targets into believing they’re legitimate.

• Basic: www.covid-alerts.info
• Advanced: www.company-coronavirusalerts.com
• Expert: www.who.int-support.org

The subtle incorporation of official domain keywords within the URL structure is a hallmark of sophisticated phishing attempts.

Email Body

The body of the phishing email is where you need to embed intrigue and urgency without raising flags. This involves using real-world events, meticulously crafting language, and embedding authority cues.

Subject: Re: Action Required - COVID-19 Work Schedule Update<br>

From: jane.doe@linkedin-support.co<br>

To: [Recipient's Email Address]<br>

Date: April 1, 2020<br>

<br>

Dear Team Member,<br>

<br>

In response to recent updates in CDC guidelines, we are implementing new work schedules to ensure safety for all employees. Please review the attached document for your updated work schedule.<br>

<br>

[View Schedule]<br>

<br>

Stay safe,<br>

Jane Doe<br>

HR Department

Embedding a call to action that incites the reader to click is key. Language tailored to the organizational context increases the chances of interaction.

URL Structure

Phishing URLs are carefully constructed to resemble legitimate links, often mixing genuine domain elements with minor variations.

• Basic: http://covidalerts-info.com
• Advanced: http://company-update.net/covid19
• Expert: http://who.int.support.org/user-update

Expert-level phishing crafts URL strings that seamlessly integrate with known trusted domains. This convincingly masks the deception, urging the user to click without pause.

Good / Better / Best

1. Good: Use general COVID-19 information as a hook. This is broadly appealing and can grab attention based on common fears.
2. Better: Tailor your phishing email to the organization and incorporate specific references to their internal processes. This method leverages social credibility cues.
3. Best: Integrate the phishing attack into existing communication streams by replying to or modifying ongoing threads. This near-perfect emulation of real interactions amplifies trust and minimizes doubt.

Do’s and Don’ts

• Do: Imitate professional styling and use language that aligns with corporate communication norms.
• Do: Incorporate urgency subtly; do not overuse caps lock or exclamation marks.
• Don’t: Use poorly constructed domains. Even minor discrepancies are more noticeable than you’d think.
• Don’t: Overburden the message with too much information or terminology that could give away the game.

Related Concepts

Understanding of spear phishing is crucial, as it demonstrates targeted manipulation based on personalized data. Another related pivot is business email compromise, which involves stealing data under the guise of legitimate business communications.

References

For more, examine scholarly reviews on COVID-19 phishing tactics such as those found in cybersecurity journals, or consult vendor threat reports that analyze emergent phishing campaigns and their methodologies.

Related Reading

• Financial Aid Refund Scam
• Webcam Exploitation Ransom
• Anti-antivirus
• Tax and IRS Phishes

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.