COVID-19-related lockdowns have forced millions of people to remain at home. With governments across the world obliging parents and children, remote workers and students to stay indoors, streaming video services have understandably soared in popularity. 

Usage of collaboration and social media platforms has skyrocketed, helping people through difficult times, virtually connecting friends and family, employers and employees, supply and demand, while honoring physical isolation rules.

As one would expect, malicious actors have seen an opportunity to exploit these circumstances and to channel their resources accordingly.

Some of the resources have been harnessed in a new phishing campaign impersonating Skype and luring unsuspecting users to enter their credentials under the pretext of multiple pending notifications awaiting attention. What makes this campaign special is the use of a .APP domain for the landing page which adds an extra layer of legitimacy. Such domains require HTTPS to establish connection.

This week’s newsletter will cover three areas where an employee’s carelessness and/or eagerness to act on appealing propositions could adversely impact an organization.

  • Malicious freebies
  • Financial relief phishing campaigns
  • Compromised business emails

Malicious freebies

To “help” people cope with the challenges of physical isolation, threat actors are deploying various ruses to trick unsuspecting folks to click on malicious links or download harmful files.

  • In under a week, security researchers have detected the registration of 700+ suspicious domains whose purpose is to impersonate the Netflix brand in phishing or smishing campaigns. Disney+, a newly launched service, has been recently targeted as well.

  • One campaign has been promising “free access” while the isolation lasted to a supposedly legitimate streaming service. The campaign operators have been enticing users to click on malicious links with "limited-time" and "limited-quantity" offers. In addition, they have been asking the victims to activate their subscriptions by answering several questions and sharing the offer with 10 others via WhatsApp.


Financial relief phishing campaigns

With the advent of various government-sponsored financial relief programs, security researchers have started to see a surge in related phishing and smishing campaigns. Attackers are leveraging growing payroll concerns and eagerness to claim promised stimulus to manipulate users.

Government-sponsored economic stimuli

  • One such campaign has been targeting organizations across UK using the Coronavirus Job Retention Scheme as pretext. Phishing emails have been spotted with official HM Revenue & Customs (HMRC) branding and impersonating Jim Harra (HMRC CEO).

Payroll phishing campaigns

  • A recently detected phishing campaign has been impersonating an HR contractor informing employees of additional stimulus being provided and asking recipients to view a payroll report. The document, hosted on Google Docs, comes with an embedded link for the download of a malicious file. Oddly, unsuspecting users are instructed to preview the document via their corporate desktop computers. 

  • Another phishing campaign features emails seemingly coming from Human Resources and Payroll Administrative Head, urging recipients to attend an important Zoom performance review meeting scheduled to start shortly.

Compromised business emails

While the executives of three British private equity firms thought they had closed an investment deal with some startups, a sophisticated cybercrime group dubbed “The Florentine Banker” managed to trick them into wire-transferring a total of $1.3 million to the wrong bank accounts. Some of the techniques used during different phases of the attack:

  • Registration of lookalike domains
  • Spear phishing emails to high profile individuals to gain control
  • Reconnaissance to understand business and roles within organization 
  • Tampering with mailbox rules to divert relevant communication to less commonly used folders such as RSS Feeds
  • Email monitoring and communication on behalf of victims

The so-called business email compromise (BEC) attacks have increased in recent years. It is not uncommon for similar attacks to target Finance and Accounting departments in an attempt to divert funds intended for product and service suppliers to bank accounts controlled by fraudulent parties.

In times of physical isolation, people are virtually connected more than ever. From the comforts of their homes, with personal devices supporting work-from-home and study-from-home setups, individuals and organizations are more exposed to cybercrime operations. Free products and services, P2P torrent sites, viral videos in social media about fun indoor physical exercises could all be exploited by malicious parties. 

As always – be vigilant, stay alert, think twice.

AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website or by e-mailing


Amatas, Computer Weekly, Infosecurity Magazine, Mimecast, Dark Reading, ZeroFOX, Bitdefender, Help Net Security, Abnormal Security, Cyware, Check Point, Cofense, Tripwire, Bleeping Computer, Vitali Kremez, The Hacker News