Abnormal Attack Stories: WHO Impersonation

May 28, 2020

Abnormal Security

Abnormal Security

In this attack, attackers impersonate the World Health Organization (WHO) in order to phish credentials.

Quick Summary

  • Platform: Office 365
  • # Mailboxes: 15,000 to 50,000
  • Email Gateway: Proofpoint
  • Victims: Employees
  • Payload: Phishing
  • Technique: Impersonation

What was the attack?

  • Setup: The COVID-19 pandemic has been ongoing for months now, and people are consistently waiting for new updates and information on new developments. 
  • Email attack: This attacker is impersonating the World Health Organization by sending an email to the victim with a supposed message from them. This email contains a link to a webpage imitating the World Health Organization homepage with a login pop-up.
  • Payload: The URL of the fake World Health Organization website is obfuscated by text asking victims to click to open a supposed message from the WHO. When victims go to the fake WHO website, they are asked to sign in with their email and password. If they do so, they are further prompted for their phone number before being redirected to the real WHO website.
  • Result: Should victims fall for this attack, any information submitted on the fake WHO page will be sent to the attacker. Accounts and any information associated with submitted credentials will be jeopardized.

Why is this attack effective?

  • Relevancy: Recipients of this email will think that the World Health Organization has contacted them with information about the ongoing pandemic and would be more likely to fall victim to this attack.
  • Convincing email and landing page: The email is sent from “who.international” (compared to the legitimate “who.int”) and those who are not aware of the different domains may believe the email is legitimate. In addition, the landing page is visually similar to the World Health Organization website, except greyed out with a pop-up asking them to log in to “join the conversation”.
  • Concealed URL: The URL of the fake World Health Organization website is hidden behind the text “Open Message”.

Targeted Email Attack

(click to enlarge)

Payload

(click to enlarge)

Techniques to Detect

(click to enlarge)

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Related content

Like our article? Share our content