COVID-19: CYBERSECURITY WATCH #18 – August 27, 2020

In light of the current health crisis, the CERT of (CERT-DS) will implement a monitoring and alert system linked to the impacts and consequences of COVID-19 on cybersecurity. This monitoring, which can be shared freely, is intended to:

  • Identify the biggest threats to computer systems;
  • Share the resources and tools necessary to grasp and prevent ISS risks;
  • Highlight the best digital practices to adopt in the face of this crisis.

In order to better understand the threats, we will also do a “threat focus” on one of the attacks reported each week. A detailed description and modus operandi of the attack will be made.

Each week’s main news items are grouped into four categories: Threats, Fraud, Useful Resources and Other News.

  • Threats” include malware, phishing and ransomware campaigns, as well as cyberattacks on major infrastructures;
  • Fraud” includes scams and fake news;
  • Useful Resources” refers to the information and tools needed to deal with this health crisis;
  • Other News” combines a variety of information such as government measures taken in the area of cybersecurity.


Focus on phishing campaigns claiming to provide information on vaccines against COVID-19

Attack: Cybercriminals claim to provide information on COVID-19 vaccines to spread malware and steal personal data
Method: Phishing
Target: General public
Publication date: 08/11/2020


Attacks related to COVID-19 exploded in March with an estimated more than 700,000 attacks at its peak in May. After a first wave of COVID-19, the search for a potential vaccine is at the heart of the new. This situation has attracted attention of cybercriminals and we are now seeing more and more phishing campaigns related to the COVID-19 vaccines.

 Modus Operandi

Cybercriminals are therefore taking advantage of advances in the development of a vaccine against COVID-19 to spread phishing campaigns or send spam containing malware.

The example of the phishing campaign reported by Checkpoint has transmitted e-mails with the following subject “URGENT INFORMATION LETTER: COVID-19 NEW APPROVED VACCINES”. These e-mails contain a malicious window .EXE file named “Download_Covid 19 New approved vaccines.23.07.2020.exe“ which after being executed on the victim’s system installs a malicious software that steals data such as passwords and banking information.

The Checkpoint teams also discovered a phishing campaign. E-mails with the following subject “UK coronavirus vaccine effort is progressing badly appropriate, recruiting consequence and elder adults“ contain a malicious link “surgicaltoll\[.]com/vy2g4b\[.]html “redirecting to the phishing site “thelifestillgoeson[.]su “. The latter tries to imitate a legitimate Canadian pharmacy in order to obtain personal information from the victims.



Attack: Canada Revenue Agency stopped distribution of financial assistance related to COVID-19 following the theft of data from thousands of user accounts
ethod: Data theft
Target: CRA user accounts
Publication date: 08/15/2020
Description: Following two credential stuffing cyberattacks that affected user accounts and passwords of the Canada Revenue Agency, the latter has temporarily shut down its online services and interrupted its distribution of financial assistance related to the COVID-19 pandemic. Although 5,500 accounts have been affected by cyberattacks, the agency quickly deactivated access to accounts to ensure the security of users’ information. However, attackers could be able to modify e-mails associated with CRA accounts and fraudulently claim the financial assistance.


Attack: Cybercriminals use COVID-19 lures to spread Emotet malware
Method: Phishing
Target: Private entities in the United States
Publication date: 08/14/2020
Description: An e-mail containing a malicious attachment exploiting the COVID-19 theme is sent to victims. This attachment is similar to a Word document and can only be opened if users click on the “Enable Content” tab in order to view it properly.  Once activated, the malware is downloaded and subsequently installs other malware such as Qbot or TrickBot to steal the victims’ data and passwords.



Attack: U.S. Department of Justice dismantles Islamic state fundraising campaign based on fraudulent sale of medical equipment
Method: Fraudulent sales/Money theft
Surface/Application: Fraudulent website: FaceMaskCenter[.]com
Publication date: 08/13/2020
Description: The Department’s initiatives of combatting COVID-19 related fraud with combatting terrorism financing jointly dismantled a fraudulent website for the sale of personal medical equipment against COVID-19. The website whose administrator is known as Murat Cakar, a facilitator of the EI, has claimed to sell FDA approved N95 respirators masks and other protective equipment for hospitals. The website has been seized and removed along with four associated Facebook pages. 


Attack: U.S. Department of Justice closes 300 fraudulent websites using COVID-19
Method: Fraudulent sales
Surface/Application: Fraudulent websites
Publication date: 08/12/2020
Description: This enforcement action follows an investigation lead by the U.S. Immigration and Customs Enforcement’s (ICE)n the Homeland Security Investigations (HSI), in coordination with Vietnam’s Ministry of Public Security. This investigation revealed more than 300 fraudulent websites were created, claiming to sell products that became scarce during the pandemic, such as hand sanitizers. Thousands of victims paid without ever receiving their goods.


Attack: A phishing campaign using COVID-19 lures imitate Orange to steal personal and banking information
Method: Phishing
Surface/Application: SMS/fraudulent website 
Publication date: 08/12/2020
Description: Users received a fraudulent SMS urging them to go to their personal account and enter their personal and banking information to receive a refund of 27 dollars. The website pages have been replicated identically with “.fr” for more authenticity. In addition, the identity used to purchase the domain name is similar to that used to purchase “”, which also has been used in the phishing campaigns targeting Bouygues Telecom and SFR letting to assume that there are same attackers.


Attack: Fake domain names were created following the Russian government’s announcement to launch its COVID-19 vaccine.
Method: Phishing
Surface/Application: Fake domain names
Publication date: 23/08/2020
Description: Within 10 days of vaccine registration by Russian authorities, 113 domain names linked to fraudulent websites claiming to pre-order COVID-19 vaccines in March appeared in the .com and .ru zones. In July-August 2020, nearly 445 domains have been registered, about nine per day. These websites offered to purchase a non-existent coronavirus vaccine and drug.


Attack: Netsential, a web development agency, victim of a data leak from patients with COVID-19
Method: Data theft
Surface/Application: Online portal
Publication date: 08/24/2020
Description: One of the web development agencies contracted by the Department of Public Safety (Fusion Center) in South Dakota has been the victim of a data leak. The data, which is primarily from Netsential’s customer surveys, has been collected through a secure online portal to identify and assist individuals with COVID-19. The failure of the security system allowed unauthorized access to the status of the individuals processed, resulting in the loss of sensitive data.


Useful resources

Type of resources: Google is launching an interactive map to track the worlwide  evolution of the COVID-19 pandemic 
Target: Journalists
Publication date: 08/10/2020
Description: Called the COVID-19 Global Case Mapper, this interactive map conducted in partnership with Stanford University contains data from 176 countries in addition to the United States where it originated. More detailed data at the country level will be added over time as the map is developed. Indeed, unlike other coronavirus case maps, the Case Mapper project also allows local journalists to include a map of their region and/or city.


Type of resources: Malwarebytes report on COVID-19’s impact on business security
Target: Business manager, CISO
Publication date: 08/20/2020
Description: This report highlights the lack of cyber security in teleworking and provides a strategic perspective for decision-makers and business leaders through surveys. The report also highlights the most common threats and frauds used by hackers during the COVID-19 period and reported by cybersecurity companies.


Other News

Country: United Kingdom
Subject: New national contact tracing application enters in  testing phase
Publication date: 08/13/2020
Description: The British government has abandoned its first application based on a centralized model in favor of the Google/Apple API. The API has a range of additional and enhanced features. For example, the application alerts people who have been in contact with virus carriers.  In total, since its launch, nearly 78.2% of individuals who have tested positive have had their data transferred for sharing with others.


Country: United States
Subject: Two Republican senators have introduced a bill to protect universities working on a vaccine against COVID-19 from cybercriminals
Publication date: 08/11/2020
Description: Senators Andy Barr and Frank Lucas introduced a bill to protect scientific research and provide universities and research institutes with access to cybersecurity advice. The bill calls on the National Institute of Standards and Technology (NIST) to provide specific guidance and best practices on cybersecurity to reduce the threat for private industry.


Country: International 
Subject: The Spot robot dog will be deployed in hospitals to collect health data from patients with COVID-19
Publication date: 08/20/2020
Description: MIT and Boston Dynamics collaborated in the launch of a medicalized version of the robot dog Spot. In order to limit the physical contact of healthcare personnel with their patients suffering from COVID-19, Spot will take care of collecting health data. Equipped with a tablet, Spot allows doctors to talk virtually with their patients while the robot performs examinations. Last April, Spot had already been tested at the Brigham and Women’s Hospital.


Back to the previous newsletter of CYBERSECURITY WATCH !