This post was originally posted on the Wall Street Journal.

 

Criminals are using concerns about the coronavirus epidemic to spread infections of their own.

They are forging emails mentioning the outbreak that appear to be from business partners or public institutions in an effort to get users to open the messages, unleashing malware.

The number of malicious emails mentioning the coronavirus has increased significantly since the end of January, according to cybersecurity firm Proofpoint Inc., which is monitoring the activity. The company recently assigned an analyst to track coronavirus threats, something it hasn’t done for prior hacking campaigns related to disasters or major public events, said Sherrod DeGrippo, Proofpoint’s senior director of threat research and detection. Proofpoint analysts now see multiple email campaigns mentioning the coronavirus every workday.

“We don’t typically see events like that. Natural disasters are very localized; events like the Olympics come and go and I think something like the Olympics doesn’t get the clicks that a health scare would,” she said.

The dearth of information about the epidemic, along with plenty of conflicting claims, provides an opening for criminals, said Ryan McConnell, founder of R. McConnell Group PLLC, a law firm in Houston.

Email doctored to look like a company’s purchase order for face masks or other supplies could trick an employee into wiring payments to a fraudulent account, he said. Individuals could provide personal details in response to a phishing attempt that promises information about a company’s remote-work plan, he said.

“With the coronavirus, it’s a heightened risk because it’s a good vehicle for fraud and people are scared,” he said.

Russia-based cybersecurity company Kaspersky Lab said it had detected 403 users of its security products who were hit with about 500 coronavirus-related files. The company hasn’t determined how the malware was planted onto the devices, said Anton V. Ivanov, a malware analyst.

Japanese residents were among the first to be targeted in January and February, with emails purporting to be from regional health-care facilities. The messages contained legitimate contact information for key personnel, according to screenshots of emails and translations provided by the cybersecurity arm of International Business Machines Corp. , which has been tracking the scams.

“It was very focused on enterprise users, and came in a message that would look like it’s a reply to something, or a warning that people are getting from the government. It could have been pretty effective at infecting company users,” said Limor Kessem, an executive security adviser at IBM Security who published findings on the campaign.

Attackers have sent emails containing about a dozen types of malware, according to Proofpoint’s analysis. Attacks mentioning the coronavirus are much more creative and sophisticated than typical spam, Ms. DeGrippo said.

One email that was sent to companies in the transportation sector purported to be from a World Health Organization employee. It included a WHO logo and instructions about how to monitor crews aboard ships for coronavirus symptoms, and included an attachment with instructions, according to a screenshot provided by Proofpoint.

The WHO, a United Nations agency based in Geneva, published a warning about coronavirus email scams on its website and asked victims to report emails. The agency has received almost daily reports about phishing attempts mentioning the coronavirus, a spokeswoman said in an email. She declined to provide a tally.

“It’s social engineering at scale, based on a fear. That’s the way to be effective,” Ms. DeGrippo said.

Phishing can be an effective tactic for public health crises, said IBM’s Ms. Kessem, as most major companies and municipal authorities rely heavily on email to communicate policies regarding the outbreak and their plans for handling people who may have been exposed.

Bart McDonough, chief executive of cybersecurity firm Agio LLC, which provides services to hedge funds, investment banks and other financial-services firms, said he has seen emails sent to clients that impersonate municipal health authorities giving businesses information on the virus.

“The Center for Disease Control and World Health Organization fakes, candidly, haven’t been very sophisticated. I think they will improve their level of sophistication as this starts to hit wealthier nations,” he said.

Corrections & Amplifications

Russia-based cybersecurity company Kaspersky Lab said it had detected 403 users of its security products who were hit with about 500 coronavirus-related files. An earlier version of this article incorrectly said they were hit with 2,673 coronavirus-related files. (March 5, 2019)