Fake CVs, Medical Leave Forms, Voicemail Alerts Used as Lures in Phishing Attacks

Researchers at Check Point have issued a warning that cybercriminals are using fake CVs, resumes, and medical leave forms to spread malware such as banking Trojans and information stealers.

Many Americans have lost their jobs as a result of the COVID-19 pandemic. Unemployment is now at the highest level it has ever been in the United States, so a great many Americans will now be looking for work. It is therefore no surprise that cybercriminals have responded and have changed their phishing tactics once again.

In the early stages of the pandemic, COVID-19 themed lures were popular. There was a continued rise in COVID-19 and COVID-19 lures throughout February, March and April, although as May progressed, COVID-19 themed phishing emails started to decline. These campaigns are still being conducted and continue to be a threat. Check Point is witnessing around 158,000 COVID-19 and coronavirus themed attacks each week, although that figure is 7% down on April.

Check Point had previously reported a major increase in COVID-19 and coronavirus themed domains that were being used to spread malware and steal credentials. Domain registrations related to COVID-19 and coronavirus peaked around March 16, 2020 and have steadily fallen since. A new trend that has been identified is domains containing the word employment. In May, 250 new domains were registered that containing the word employment, 7% of which were confirmed as malicious and another 9% were suspicious.

Check Point notes the number of CV-related campaigns have doubled in the past two months and one in every 450 malicious files intercepted is part of a CV-related scam. Several emails have been intercepted that claim to be requests for medical leave under the Family and Medical Leave Act (FMLA).

A range of malware is being delivered via CV-related attachments and fake medical leave requests, including the banking Trojans Zloader, IcedID, and TrickBot.

Researchers at IRONSCALES report a major campaign is underway that spoofs PBX integrations. Private Branch Exchange (PBX) telephone systems are used by many enterprises for automating the routing of phone calls and recording voicemail messages. These systems can be configured to automatically generate an email message when a voice mail message is received. This feature of PBX systems has been important during lockdown as it ensures that employees working remotely do not miss calls.

IRONSCALES reports at least 100,000 mailboxes have been targeted with phishing emails spoofing the messages generated by PBX systems to alert employees about a new voicemail message. The emails are convincing, spoof the company name, are often addressed to a specific individual, and have subject lines that match the company and closely resemble the subject lines used in genuine PBX system notifications.

The emails require individuals to visit a website to access their voicemail and attempt to obtain login credentials. The voicemail messages may contain sensitive information that can be monetized, and the message content can be used to create convincing social engineering and spear phishing emails. The passwords used to access voicemail messages are often used on other platforms and can be used in further attacks.

New scams will constantly be created to fool employees into installing malware or disclosing login credentials. Blocking these messages is critical as there will always be one employee who responds and clicks a link in an email or opens a malicious attachment, and likely more when convincing lures are used.

An advanced email security solution should be implemented that is capable of detecting email spoofing attacks. End user training is also important. Regular updates should be sent to remote workers warning them about the latest tactics being used in phishing attacks.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news