Messaging security for evolving threats

COVID-19 SMS Spam Attacks Shift from Panic to Stimulus

Since COVID-19 first emerged as a worldwide threat Proofpoint has been tracking a significant spike in the number of email and SMS messaging attacks using various COVID-19 themes.  In the last 14 days, Proofpoint’s Cloudmark team have observed a significant spike in the number of SMS spam messages containing COVID-19-related content. The SMS attacks began by offering lures to prepare recipients for the pandemic - offering masks, survival guides, “Netflix premium” subscriptions and other offerings.  It is interesting to note that in the last two days the SMS attacks are slowly shifting from offering lures to prepare recipients for the pandemic to now offering lures around compensation, loans and other financial supports. First SMS COVID-19 Attack Observed February 27th, 2020

 

 

 Proofpoint’s Cloudmark team first began seeing SMS spam using COVID-19 themes and disposable domains: Just Released: The Mask That Will Keep Your Mind More At Ease During The Spread of The New Virus check if they still have them http://3Coronamask.com The URL in this first SMS message was only initially accessible via a mobile browser and a screenshot of the final landing page is available below.

SMS COVID-19 Attacks Focus initially on Preparing for the Pandemic Up until March 23rd the spike in SMS COVID-19 spam attacks focused almost exclusively on preparing for the pandemic. A significant number of these attacks used newly created COVID-19 spam themed domains. The public expects that during this pandemic period, legitimate COVID-19 domains are being created by governmental organizations and NGOs so the existence of these spam domains being distributed via SMS is attempting to build on that expectation and entice users to open the message call to actions. These SMS spam and phishing attacks are being reported from mobile subscribers in area codes across the United States.

 

 

Attack Group #1:  Survive the Pandemic and Protect Families http://SafeCovid19.com/N6cG7JX6 [REDACTED NAME], protect your families lives' at [REDACTED POSTAL ADDRESS] this National CRISIS! Don't be a statistic in [READACTED TOWN] Hey [REDACTED NAME], no one will be safe from the Coronavirus anymore. This is the only survival guide you require to overcome this crisis pgmdl.rest/omd3c1 [REDACTED NAME] Coronavirus causing a crisis. Prepare yourself with this option. http://E506.kadt.life to opt-out text Stop ab3 The URL in this SMS message is accessible via multiple browsers including mobile browsers and a screenshot of one of the final landing pages is available below.

 

 

Attack Group #2: Focus on Preparing for the Pandemic Examples include: How well prepared are you for the CoronaVirus Outbreak? Stay safe here cumaskqcoronaz.xyz Due to the Corona outbreak we are giving out emergency grants for groceries: [REDACTED NAME], visit wujucpj.site/OCIYq1FvxE [REDACTED NAME] Coronavirus crisis. Prepare yourself with The Choice Gold card. http://P657.jemte.life 2 opt-out Text Stop ab2" The attack (noted below) relating to Netflix is innocuous multi-level marketing affiliate spam although the theme again relates to preparing for the pandemic. Because of the Corona outbreak we will give out 5 months of Netflix Premium to keep you entertained: [REDACTED NAME], go to covidflix12.xyz/E7fLNffgB" Due to the Corona outbreak we will give out 3 months of Netflix Premium to keep you entertained: [REDACTED NAME], visit flix2years31.xyz/WEDO0QAGyg The URL in this SMS message is only accessible via mobile browsers and a screenshot of the final landing page is available below. It is important to note that landing pages can be dynamic, and every recipient may not be presented with these exact landing pages.

 

 

Shift in SMS COVID-19 Attacks as the focus moves towards compensation and relief. Since March 23rd the COVID-19 SMS attacks have shifted with an increased focus on COVID-19 relief, compensation, loans and funding for rental assistance.   Were in a crisis with the Coronavirus. There is an option for lower rent. http://W519.exbt.life to unsb text Stop ab2 In this current time of crisis, get your unemployment benefits today http://T145.ashbe.life to unsb text Stop ab8 Covid-19 Loan is now ready for use, We have added it to you, to see how much you received Goto: http://s1af.online Or 2 to end mate, this is your unique link to access the $1000 COVID-19 relief for adult individuals online: http://a2ern.info/NbsQZs7EAd claim now or wait for a letter" If you need help with cash because of (COVID-19) you have been pre approved for a $2500 advance. Advance here: m6n9.xyz/73929213Reply Stop to Opt Out The URL in the SMS message below related to COVID-19 compensation is only accessible via mobile browsers and a screenshot of the final landing page is available below. GoodDay, COVID-19 compensation is awaiting your required total. Login to finalize your submission and select option for receipt http://dilpat.online Or 2

 

 

Additional COVID-19 SMS Spam Campaign Highlights

  • 77% of the COVID-19 themed disposable domain attacks originated from Communications Platform as a Service (CPaaS) providers.
  • The top five COVID-19 themed disposable domains include
    • covidflix19.xyz
    • clearcovid19virus.com
    • aircovid19virus.com
    • covidflix20.xyz
    • coronabreath.com

Tracking COVID-19 SMS Spam Campaigns from Suspect Mobile Network Operators:

 

 

Bulletproof hosting CPaaS are Communications platform as a Service operators that typically own their own phone numbers and send almost exclusively 100% spam and phishing SMS. Tracking COVID-19 SMS Spam Campaigns from Suspect Bulletproof hosting CPaaS Vendors:

 

 

If you happen to receive any spam or phishing campaigns, please be sure to forward SMS message samples to 7726 or use the spam reporting function built into your Android Messages application. These message samples will be used to train content filtering engines, limiting the effectiveness of these attacks.