{"id":32395,"date":"2020-02-07T04:55:56","date_gmt":"2020-02-07T09:55:56","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=32395"},"modified":"2020-05-18T08:03:45","modified_gmt":"2020-05-18T12:03:45","slug":"coronavirus-phishing","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/coronavirus-phishing\/32395\/","title":{"rendered":"Coronavirus phishing"},"content":{"rendered":"<p>Some malefactors just don\u2019t know when to stop. First, we saw <a href=\"https:\/\/usa.kaspersky.com\/blog\/coronavirus-used-to-spread-malware-online\/20213\/\" target=\"_blank\" rel=\"noopener noreferrer\">malware masked as files about coronavirus<\/a>, and now they\u2019re sending phishing e-mails that exploit the very same epidemic.<\/p>\n<h2>Phishing with the coronavirus for e-mail credentials<\/h2>\n<p>The letters appear to come from the Centers for Disease Control and Prevention, which is a <a href=\"https:\/\/www.cdc.gov\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">real organization in the United States<\/a>, and they do recommend some actions regarding the coronavirus. The e-mails also come from a convincing domain, <strong>cdc-gov.org<\/strong>, whereas the CDC\u2019s real domain is <strong>cdc.gov<\/strong>. A user not paying careful attention isn\u2019t likely to notice the difference.<\/p>\n<p>The letters claim that the CDC has \u201cestablished a management system to coordinate a domestic and international public health response\u201d and urge recipients to open a page that allegedly contains information about new cases of infection around their city. The link appears to point to the legitimate CDC website: cdc.gov.<\/p>\n<div id=\"attachment_32398\" style=\"width: 662px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2020\/02\/06102022\/coronavirus-phishing-scr1.png\"><img decoding=\"async\" aria-describedby=\"caption-attachment-32398\" class=\"size-full wp-image-32398\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2020\/02\/06102022\/coronavirus-phishing-scr1.png\" alt=\"Coronavirus phishing e-mails appear to come from the Centers for Disease Control and Prevention (CDC)\" width=\"652\" height=\"642\"><\/a><p id=\"caption-attachment-32398\" class=\"wp-caption-text\">Coronavirus phishing e-mails appear to come from the Centers for Disease Control and Prevention (CDC)<\/p><\/div>\n<p>The website looks similar to Microsoft Outlook\u2019s interface \u2014 and requests an e-mail login and password. Of course, the website has nothing to do with Outlook; it\u2019s just a page crooks built to steal e-mail credentials. It won\u2019t log you in anywhere, but it will forward your login and password to the criminals, who will later use them to access your e-mail account and look for anything worth stealing in there.<\/p>\n<h2>What\u2019s the catch in coronavirus phishing?<\/h2>\n<p>To avoid getting hooked, pay attention to details. Three things in this particular scheme should raise red flags:<\/p>\n<ul>\n<li>The e-mail address of the sender. If it ends with cdc-gov.org instead of cdc.gov, the e-mail is phishing.<\/li>\n<li>The actual URL of the link. If you hover over the link without clicking on it, you\u2019ll see that the real address it leads to is different than the link description. It won\u2019t really bring you to cdc.gov.<\/li>\n<li>The design of the phishing page. The official <a href=\"http:\/\/outlook.live.com\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Microsoft Outlook website<\/a> actually looks completely different. Of course, no website other than Microsoft\u2019s should ask for your Outlook credentials. If you see such a request, know that it\u2019s phishing and ignore it.<\/li>\n<\/ul>\n<div id=\"attachment_32399\" style=\"width: 918px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2020\/02\/06102026\/coronavirus-phishing-scr2.png\"><img decoding=\"async\" aria-describedby=\"caption-attachment-32399\" class=\"size-full wp-image-32399\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2020\/02\/06102026\/coronavirus-phishing-scr2.png\" alt=\"The fake Web page used in the coronavirus phishing campaign looks like an Outlook login window\" width=\"908\" height=\"560\"><\/a><p id=\"caption-attachment-32399\" class=\"wp-caption-text\">The fake Web page used in the coronavirus phishing campaign looks like an Outlook login window<\/p><\/div>\n<p>If you pay attention, you will certainly notice at least one of the problems we list above, but even one is enough to tell you: This is phishing, so don\u2019t click any links, download any attachments, or enter any credentials.<\/p>\n<p>The coronavirus as a topic is heating up among malefactors of various kinds, so expect to see other malicious campaigns using the deadly virus as bait. Recently we\u2019ve seen spam campaigns selling masks, which some perceive as the first line of defense against the virus.<\/p>\n<p>Another example we encountered recently was another phishing e-mail that also appeared to be sent from the CDC, this time from a different \u2014 but still fake \u2014 address: <strong>cdcgov.org<\/strong>.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2020\/02\/06102030\/coronavirus-phishing-scr3.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-32400\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2020\/02\/06102030\/coronavirus-phishing-scr3.png\" alt=\"Another example of coronavirus-related phishing\" width=\"626\" height=\"746\"><\/a><\/p>\n<p>This e-mail urged recipients to donate Bitcoin to fund coronavirus vaccine research. Of course, the real CDC does not accept Bitcoin, and it is not asking for donations. And we\u2019re sure to see more scams exploiting coronavirus fears.<\/p>\n<h2>How to protect yourself from phishing<\/h2>\n<ul>\n<li>Attentiveness and knowledge are your two best tools. Look carefully to spot wrong addresses, misspelled domains, URLs with misleading labels, and other signs. To learn more about typical phishing methods and techniques, read our <a href=\"https:\/\/www.kaspersky.com\/blog\/phishing-ten-tips\/10550\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ten tips<\/a> for avoiding phishing and <a href=\"https:\/\/www.kaspersky.com\/blog\/tag\/phishing\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">other posts about phishing on Kaspersky Daily<\/a>.<\/li>\n<li>Use a reliable security solution, such as <a href=\"https:\/\/www.kaspersky.com\/advert\/security-cloud?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____ksc___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Security Cloud<\/a>, that automatically detects phishing websites and blocks access to them.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"ksc-trial-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Phishers are using the Wuhan coronavirus as bait, trying to hook e-mail credentials.<\/p>\n","protected":false},"author":2495,"featured_media":32397,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2683],"tags":[3679,19,76],"class_list":{"0":"post-32395","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-coronavirus","10":"tag-email","11":"tag-phishing"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/coronavirus-phishing\/32395\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/coronavirus-phishing\/7466\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/coronavirus-phishing\/17066\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/coronavirus-phishing\/21059\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/coronavirus-phishing\/19886\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/coronavirus-phishing\/26308\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/coronavirus-phishing\/7649\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/coronavirus-phishing\/13679\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/coronavirus-phishing\/12756\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/coronavirus-phishing\/22112\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/coronavirus-phishing\/10679\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/coronavirus-phishing\/24944\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/coronavirus-phishing\/20922\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/phishing\/","name":"phishing"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/32395","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2495"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=32395"}],"version-history":[{"count":6,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/32395\/revisions"}],"predecessor-version":[{"id":35502,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/32395\/revisions\/35502"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/32397"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=32395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=32395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=32395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}