Hackers Targeting Japan by Leveraging Coronavirus Scare to Spread Emotet

e-Crime threat actor Mummy Spider has been observed capitalizing on the current Coronavirus scare by using the outbreak as a phishing attack theme. The attackers have crafted official looking emails in an attempt to lure unsuspecting victims into opening a document infected with Emotet:

The emails falsely claims that there are reports of coronavirus patients in the Gifu, Tottori and Osaka prefectures in Japan, urging victims to read an attached Microsoft Word document which contains the Emotet trojan. The messages are particularly dangerous because they were made to look like official government emails, equipped with legitimate addresses, phone numbers and emails.

The emails have predominantly been composed in native Japanese language, and have spoofed a number of prefectural governments across Japan, to include the Kyoto Prefectural Yamashiro Minami Public Health Center.

Malicious actors, especially e-crime adversaries, often use current events in spear-phishing campaigns. Playing on peoples fears is quite common, and leveraging official-looking communications make these campaigns difficult for the average citizen to discern between what is true and what is fake.

If you are a recipient of these types of emails, before opening any attachments ask yourself the following question: did I provide my email address to the Ward Office or City Hall?

If the answer is no, then quite obviously do not open the attachment because it is most likely malicious.

If the answer is yes, then cross-reference the communication with what is listed on their web site, or even call to check if this is valid. Local governments will generally not inform their inhabitants via email with a requirement to open an attachment. They will generally post important information on their web site, and social media accounts, as email cannot be trusted. Even in Japan.

As a general rule, never open an unsolicited email attachment unless you are one-hundred percent sure of its authenticity.

e-Skimming: FBI Warns of New Online Threat to Personal and Credit Card Information

Never heard of e-skimming until today? It is when threat adversaries compromise an e-commerce web site, whether through a vulnerability in the web server or the e-commerce software, and then introduce malicious code into the checkout process. The code is designed to send both the buyers personal and credit card details to the attackers, which is then later used for fraudulent purchases. What makes e-skimming terrible is users have no way of knowing the web site has been compromised until it is too late:

This new type of skimming is called e-skimming or Magecart.

Cybercriminals[sic] can gain access to your personal and credit card information in a number of ways. They can break into a web server directly or break into a common server that supports many online shopping websites to compromise them all and once a site has been compromised, the shopper can’t spot the difference.

“It’s nearly impossible for a consumer to detect that this has happened to them before the actual occurrence. The site that they would look at, which is already infected, would look no different to a consumer,” Stapleton said.

How do you avoid being the victim of e-skimming? There are a few important things to do:

  • Utilize reputed web sites for online purchases, such as the Amazon's and Rakuten's of the world, to name a couple examples.
  • Use a credit card, not debit card, when shopping online. Credit cards generally have fraud protection whereas debit cards do not. A bank account can be drained quite rapidly through debit card loss, and in most cases the funds are not replaceable. Contrast that with a credit card which has safety mechanisms built-in.
  • Use a specific credit card only for online purchases, and one with a very low credit limit. This can restrict the amount of damage an attacker can do with a stolen card.
  • Check credit card and bank account balances often. If either have applications with push notifications, ensure those are configured to alert on large purchase and failed transactions.

At the end of the day this is all about paying attention to detail and limiting risk by taking some specific actions. Catching e-skimming is nearly impossible as a customer, which is why the above is exceedingly important.