Microsoft Seizes Domain Names Related To COVID-19 Phishing Scams

Microsoft on Tuesday won a court order allowing it to seize and take down domain names used in a phishing scam referencing COVID-19, the company announced.

Cybercriminals took advantage of the pandemic in an attempt to defraud customers in 62 countries worldwide. On Tuesday the U.S. District Court for the Eastern District of Virginia unsealed documents detailing Microsoft’s work. 

Microsoft’s Digital Crimes Unit (DCU) first spotted the criminals using phishing attacks in December 2019, when they tried to hijack Microsoft customer accounts. The criminals attempted to gain access to customer emails, contact lists, sensitive documents and other valuable information.

Based on certain patterns, Microsoft blocked the cyber criminals’ activity and disabled the malicious application used in the attack. Recently the company observed renewed attempts by the same criminals, this time using COVID-19-related lures in the phishing emails to target victims.

The cybercriminals designed the phishing emails to look like they originated from an employer or other trusted source and frequently targeted business leaders across a variety of industries, attempting to compromise accounts, steal information and redirect wire transfers.

When the group first began carrying out this scheme, the phishing emails contained deceptive messages associated with generic business activities. For example, the malicious link in the email was titled with business terms such as “Q4 Report – Dec19.”  

In the latest efforts, the phishing emails contained messages regarding COVID-19 as a means to exploit pandemic-related financial concerns and lure victims to click on malicious links -- for example, using terms such as “COVID-19 Bonus.”

Victims who clicked on the links were prompted to grant access permissions to a malicious web application. The scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign in a search result.

Next story loading loading..