COVID-19 Department of Labor Phishing - Abnormal Security

COVID-19 Department of Labor Phishing

In this attack, an attacker impersonates the New York Department of Labor claiming to administer relief funds in order to steal sensitive personal information.

Quick Summary of Attack Target

Platform: Office 365
Mailboxes: 10,000 – 100,000
Bypassed Email Security: Proofpoint
Victims: Employees
Payload: Link
Technique: Impersonation

What was the attack?

Setup: Scammers are taking advantage of the financial hardship caused by the COVID-19 pandemic by impersonating government entities and offering supposed relief funds to gain access to sensitive user information.

Email Attack: The attacker impersonates the New York Department of Labor by disguising their identity with the display name “noreply@labor.ny.gov” and displaying the New York State logo at the top of the email. However, a closer look reveals the true sender to be “naij30@naija9icevibes.com”, a Panamanian-registered domain with no association to the New York state government. The attacker claims that the government will administer a $600 relief fund to citizens who fill out the indicated form. The “click here” hypertext redirects the recipient to a webpage controlled by the attackers by mimicking a New York state government page which asks for sensitive information such as name, address, date of birth, social security number, and driver’s license number. 

Payload: The email contains an embedded link that should supposedly lead to a NY.GOV site, but actually points to “https://thesender[.]org/fjc4”. After clicking on the hypertext, the link redirects to “bo2.cloudns.cl/NYU/cnf[.]php”, a phishing page posing as a legitimate government website. Although this landing page displays the official New York state government logo, the URL is not associated with the New York Department of Labor. Instead, it is a trap for users to release valuable information in the pursuit of their promised COVID-19 relief fund. 

Result: If the recipients fall victim to this attack, they would release extremely personal information to the scammers. This could ultimately lead to identity theft and other fraud.

Why was this attack effective?

Urgency: Because this email is offering $600 in relief funds to those who might be suffering from financial hardship, the recipient is incentivized to act quickly in order to claim this offer. Additionally, by impersonating an official government entity the email creates an air of authority and may seem more legitimate to the recipient. This would motivate the recipient to engage without delay. 

Convincing email and landing page: The attacker employs the official logos of the New York state government in both the email and the fake form, creating a credible impression of a legitimate government entity.

Timing: The attacker takes advantage of the current global health crisis by crafting a scam that revolves around the COVID-19 pandemic and its economic impact. Americans have already received pandemic stimulus checks from the government, so a recipient of this email may be more likely to believe that the government is offering additional relief as the pandemic continues.

Related content