Phishers Hide #COVID19 Malware in CVs and Medical Leave Forms

Cyber-criminals are taking advantage of the evolving jobs market and employee health situation under COVID-19 to disguise malware in various emailed documents.

The phishing campaigns spotted by Check Point over recent days center around spoofed CVs and medical leave forms. Unemployment in the US remains at levels not seen since the Great Depression of the 1930s, with close to 40 million currently without jobs due to the pandemic.

The security vendor said that the ratio of CV-related malware to all detected malicious files doubled over the past two months. One campaign featured banking Trojan Zloader hidden in malicious .xls files in emails with subject lines such as “applying for a job” or “regarding job.”

Separately, cyber-criminals have been taking advantage of interest in the US Family and Medical Leave Act (FMLA) to lure administrative staff into opening attachments.

Attachments with names like “COVID -19 FLMA CENTER.doc” have been sent via emails with subjects like “the following is a new Employee Request Form for leave within the FMLA,” according to Check Point.

Once again, the payload is info-stealing banking Trojans like Icedid or Trickbot. Different sender domains are used to try and trick email filters.

Overall, the number of COVID-19 attacks reduced in May by 7% to 158,000 per week, the vendor claimed. However, overall, attacks are starting to pick up as businesses begin to open again.

“In March, when the pandemic was at its peak, we saw a 30% decrease in malware attacks compared to January 2020. This was because many countries went into quarantine and most businesses and other organizations were shut as a result, greatly reducing the potential number of targets for attackers,” Check Point explained.

“Now that the world is seeing some relief from the pandemic as a result of the quarantine measures, things have started to open up and businesses are running again and – guess what?  – cyber-criminals are also ramping up their malicious activities. In May, we saw a 16% increase in cyber-attacks when compared to the period between March and April, when coronavirus was at its peak.”

What’s Hot on Infosecurity Magazine?