Reading is for suckers

Malwarebytes warns of new phishing campaign impersonating the WHO

Security researchers from Malwarebytes have identified a new phishing campaign that’s designed to take advantage of public concerns over the coronavirus outbreak.

This latest email scam impersonates the World Health Organization (WHO) in an attempt to entice users to download a free e-book.

The book, ‘My Health E-book’, promises to provide those that open the attachment with “complete research on the global pandemic, as well as guidance on how to protect children and businesses”.

“Instead, as soon as they execute the file inside the MyHealth-Ebook.zip archive, malware will be downloaded onto their computers,” Malwarebytes said in a blog post, published yesterday (March 18).

Users are told that the take book can only be downloaded on Windows machines.



If the attachment is clicked, a downloader called GuLoader is mounted on their computer and used to execute an information-stealing payload, FormBook.

FormBook, which has appeared extensively in campaigns against manufacturing and defense sectors in the US and South Korea, is then stored and encoded in a user’s Google Drive.

“Formbook is one of the most popular info-stealers, thanks to its simplicity and its wide range of capabilities, including swiping content from the Windows clipboard, keylogging, and stealing browser data,” Malwarebytes said.

“Stolen data is sent back to a command and control server maintained by the threat actors.”

Grammatical errors in the e-book email should throw up an immediate red flag to most users, Malwarebytes said.

“Still, many have fallen for far more obvious ploys,” the company added.

Discovery and takedown

The Covid-19 epidemic has prompted a wave of warnings from Computer Emergency Response Teams (CERTs) across the world, asking users to take caution of any email referencing the virus in its subject line.

The UK’s NCSC is reporting an increase in the registration of webpages and phishing attempts referencing the virus and, adding that it is using pre-existing processes to automate the discovery and takedown of such fraudulent sites.

The WHO has also issued warnings about the impersonation of its brand by cybercriminals in wake of the global crisis.

“If you are contacted by a person or organization that appears to be from WHO, verify their authenticity before responding,” the UN body said in a recent security alert.

The organization reminds users that it will never ask for a username or password to access information, nor will it send unsolicited email attachments.


RELATED Phishing scammers pose as World Health Organization to exploit coronavirus fears