Abnormal Attack Stories: Stimulus Payment Attack

April 7, 2020

Abnormal Security

Abnormal Security

In this attack, attackers are impersonating a major financial institution claiming to have received the recipient’s stimulus check, but needing the recipient to verify their account to release the funds. The attackers have created a full landing page to attempt to steal the recipient’s banking credentials.

Quick Summary:

  • Platform: Office 365
  • # Mailboxes: More than 50,000
  • Email Gateway: Proofpoint
  • Email Security: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

What was the attack?

  • Setup: This attack leverages the economic uncertainty around COVID-19. Many who have been furloughed, laid off, or have had their hours reduced due to shelter-in-place orders around the nation will be anxiously awaiting the arrival of the stimulus check that was part of Congress’s $2 trillion dollar stimulus effort.
  • Email Attack: This attacker created a convincing email and landing page that appeared to come from a major financial institution. The email sent by the attackers claims that this financial institution has placed the funds on hold until the user can sign in and “verify account ownership” so they can be released.
  • Payload: The email contains a link to a fake website for the financial institution. The URL is masked with a link, and the real URL takes victims to a site hosted at “https://theruncoach.icu/home.php”, which attackers likely control and will use to steal the login credentials for this financial institution from victims.
  • Result: Should recipients fall victim to this attack, their login information for their banking account would have been compromised.

Why is this attack effective?

Please keep in mind that, although these attackers were impersonating one specific financial institution for this attack, they have already launched attacks impersonating many other financial institutions.

  • Urgency: This attack leverages two things to ensure victims act urgently and give this the minimum level of scrutiny:
    1. It plays upon the economic uncertainty and claims that it’s related to the economic stimulus checks that many are waiting on as they have been furloughed, laid off, or their hours are reduced.
    2. It claims that the deposit made to the recipient’s bank account is being put on hold until the recipient can verify ownership of their account and accept the payment by logging in (through the fake landing page the attackers have created)
  • Convincing email and landing page: The email and landing page that the attacker created were convincing. The email even contained real links to the financial institution’s privacy statement, in addition to the fake landing page which would steal their credentials. The landing page was similarly elaborate, appearing almost exactly like the true bank landing page. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials.
  • Concealed URL: The URL where the landing page was ultimately hosted (https://theruncoach.icu/home.php) was clearly not a site owned or run by this bank. However, the email concealed this URL, and the attackers likely expected that recipients would be too convinced by the landing page they created to double-check that the URL was valid.

About

Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Targeted Email Attack

(click to enlarge)

Payload

(click to enlarge)

Techniques to Detect

(click to enlarge)

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Related content

COVID-19-related attack deep dives

Like our article? Share our content