CDC, IRS and other federal sites spoofed in global phishing scams

By Derek B. Johnson

By Derek B. Johnson

|

New research from Proofpoint has identified numerous phishing email campaigns over the past two months, some of which impersonated and spoofed websites from federal agencies, international governments and public health organizations involved in COVID-19 relief.

Shutterstock ID 1041857944 By Lagarto Film
 

In the latest sign that the coronavirus pandemic is being seized on by scammers, fraudsters and cyber criminal groups, new research from Proofpoint has identified numerous phishing email campaigns over the past two months, some of which impersonated and spoofed websites from federal agencies, international governments and public health organizations involved in COVID-19 relief.

The company said it has tracked more than 300 such campaigns as well as a number of multi-page phishing templates that mimic the websites of agencies like the Center for Disease Control, Federal Emergency Management Agency, IRS, and the White House in order to steal user banking credentials. The templates and emails number in the hundreds of thousands and were collected through internal research and Proofpoint's email security software. Sherrod DeGrippo, Proofpoint's Director of Threat Research and Detection, told FCW in an interview that the templates make up number of common phish kits that can allow scammers with little technical knowledge to carry out their operations at scale.

Many of the emails used the COVID-19 outbreak to entice users to hand over their banking credentials in order to receive their stimulus checks. The campaigns targeted both Americans and international users, with some websites impersonating the World Health Organization, the Her Majesty's Revenue and Customs (the tax collection agency in the U.K.) and the French government.

One email sent to FCW by researchers and not included in their published blog purports to be from the Federal Reserve, touting that its "Protection Program" was fully operational and available to provide payments to economically distressed Americans. It lists a phone number with a Washington D.C. area code for media inquiries and specifies that requests for payments "must be received no later than 45 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER." In reality the email, sent to approximately 100,000 people, provides users with a link to a spoofed site where they can enter their banking information.

Another example sent by researchers shows a website template for coronavirus financial help that promises to sign users up for their stimulus checks "with 1 click" and contains a drop-down menu to enter credentials for their chosen bank. Bizarrely, the site contains mimicked logos for the White House, the Centers for Disease Control and Prevention and the Federal Emergency Management Agency (though not the IRS, the agency charged with dispersing the checks) all on the same page.

A common theme for almost all the campaigns was an effort to leverage interest in the COVID-19 pandemic, but DeGrippo said the actors otherwise adopted a general "spray and pray" strategy for victims, with little apparent focus on specific individuals or industries.

"They loaded up the spam cannons, shot them out there and hoped for the best," said DeGrippo. "It's a tactic that also works. I don't think not being super targeted is any indication that it's not effective or that the threat actor is not equipped. Getting 100,000 messages out [over four days] is not an easy feat."

Even as threat intelligence companies and federal agencies have tracked an explosion of coronavirus-themed scams online in recent months, DeGrippo said that observed credential phish activity has not increased significantly during the pandemic, indicating that it is existing actors shifting their tactics rather than an increase in the overall threat ecosystem.

"Comparatively over the past several years, volumes of credential phish specifically haven't moved [over the past few months] in ways where we thought 'Oh my gosh there's this huge volume increase,'" she said. "What we are seeing is that a threat actor might normally send a credential phish for banking details [and] the shift now is they're going to wrap that attempt…in a premise around COVID-19."

Federal agencies like the IRS, the Cybersecurity and Infrastructure Security Agency and the FBI have all warned of a shift in recent months by cyber criminals to profit off increased attention surrounding the pandemic. In particular, experts have worried that the rush by the IRS to process and disperse hundreds of billions of dollars in stimulus relief to Americans has left the program vulnerable to fraud.

Adding to the confusion, the IRS website where Americans can check on the status of their stimulus payments received criticism for its functionality during the initial weeks after passage of the CARES Act, with some users reporting online and on social media that the site did not recognize their taxpayer information and that small differences -- like not writing their full name in all capital letters -- can trip up the system and return an error message.

The IRS updated its "Get My Payment" tool in late April to fix the error, but the inability to access their information on the official IRS website could have left users more susceptible to exploring quicker solutions offered by scammers. The agency "Frequently Asked Questions" page warns users to be on the lookout for emails and links asking for banking information related to their checks and on May 18 announced it had added another 3,500 phone operators to field questions from taxpayers about their stimulus payments.

NEXT STORY: Best practices for agency implementation of CDM

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.