Hack-for-hire firms spoofing WHO accounts to target organisations worldwide

Google's Threat Analysis Group has issued a warning about a number of “hack-for-hire” firms that have been creating Gmail accounts spoofing the WHO to target business leaders in financial services, consulting, and healthcare corporations.

The software giant said that most of these hack-for-hire firms are located in India and are targeting business leaders in financial services, consulting, and healthcare corporations in the US, the UK, Canada, Slovenia, India, Bahrain, and Cyprus.

The hackers have also set up a number of fake domains that look like WHO's website and are asking targeted users to visit these websites and sign up for direct notifications from the WHO to stay informed of COVID-19 related announcements. "The sites typically feature fake login pages that prompt potential victims to give up their Google account credentials, and occasionally encourage individuals to give up other personal information, such as their phone numbers," Google said.

Terming them as government-backed or state-sponsored hacker groups, the Threat Analysis Group noted that while some of the hack-for-hire firms are looking to collect intelligence or steal intellectual property, others are targeting dissidents or activists, or attempting to engage in coordinated influence operations and disinformation campaigns.

"Our products are designed with robust built-in security features, like Gmail protections against phishing and Safe Browsing in Chrome, but we still dedicate significant resources to developing new tools and technology to help identify, track and stop this kind of activity. In addition to our internal investigations, we work with law enforcement, industry partners, and third parties like specialized security firms to assess and share intelligence," said Shane Huntley from the Threat Analysis Group.

Commenting on the activities of hack-for-hire firms, Kelvin Murray, Senior Threat Research Analyst at Webroot, said that "it's unsurprising that the World Health Organisation is currently being used as bait, as scams based off current news are always going to be more effective, especially when tied to emotive topics in the public interest. Phishing attempts such as these aim to get people to open malicious links and emotive subjects like medical safety will certainly compel people to open and click emails."

Google blocking millions of phishing and spam emails every single week

In April, Google also announced that it blocked over 18 million COVID-19 related malware and phishing emails in a single week in addition to more than 240 million COVID-19 related daily spam messages. The Gmail Security team identified phishing attacks where the threat actors have attempted to:

  • Impersonate authoritative government organisations like the World Health Organization (WHO) to solicit fraudulent donations or distribute malware fraudulent donations or distribute malware.
  • Phish employees operating in a work-from-home setting.
  • Capitalise on government stimulus packages and imitates government institutions to phish small businesses.
  • Target organisations impacted by stay-at-home orders.

Google also shared some best practices that users must follow in order to mitigate these threats. As per the company, Internet users can take the following precautions:

  • Complete a Security Checkup to improve your account security.
  • Avoid downloading files that you don’t recognize; instead, use Gmail’s built-in document preview.
  • Check the integrity of URLs before providing login credentials or clicking a link—fake URLs generally imitate real URLs and include additional words or domains.
  • Avoid and report phishing emails.
  • Consider enrolling in Google’s Advanced Protection Program (APP).
MORE ABOUT: