Phishing attacks targeting India about to be launched to steal COVID-19 aid; CERT-IN issues advisory

Phishing attacks targeting India about to be launched to steal COVID-19 aid; CERT-IN issues advisory

A North Korean sponsored hacking group famously known as Lazarus, has devised a plan to launch large scale phishing attacks through fake mails designed as COVID-19 relief efforts. The target of the attack are countries like US, UK, South Korea, Japan, Singapore, and India, where the respective governments extended incentives to deal with the pandemic.

These phishing emails are designed to route recipients to fake websites where they will be misled into disclosing personal and financial information.

As per security research firm CYFIRMA, there is a common thread across six targeted nations in multiple continents – the governments of these countries have announced significant financial support to individuals and businesses in their effort to stabilize their pandemic-ravaged economies.

Of these countries, Korea government allocated a total of US$200B of emergency relief funds; Indian government announced Rs 20 lakh crore package; Singapore announced almost SGD 100B; Japan announced funds of about 234 trillion yen; America set aside trillions of dollars to sustain its economy, and the UK government also came out with a pandemic recovery strategy.

As per researchers, the attackers plan to take advantage of on these announcements to bait vulnerable individuals and companies into falling for the phishing attacks. Given the potential victims are likely to be in need of financial assistance, this campaign carries a significant impact on political and social stability. The campaign is designed to mimic government agencies, departments, and trade associations who are tasked to oversee the distribution of the financial aid.

Image Source: CYFIRMA

For launching campaign in India, attackers are claimed to have 2 million individual email IDs. The strategy is to send emails with the subject “Free COVID-19 testing” to all residences in Delhi, Mumbai, Hyderabad, Chennai, and Ahmedabad provoking them to share personal information.

In light of the phishing campaign to be launched on India, CERT-IN has laid out a list of best practices to be followed in order to prevent falling for the phishing attack:

  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints
  • Block/restrict connectivity to the malicious domains/IPs shared by CERT-In from time to time. If any of the machines are found contacting them, take volatile evidence, isolate the machine, start necessary mitigation and containment procedures. Take forensic image of the machine for root-cause analysis. It is recommended to restore the system from a known good back up or proceed to a fresh installation.
  • Keep up-to-date patches and fixes on the operating system and application software such as client side softwares, including Adobe Products (Reader, Flash player), Microsoft Office suite, browsers & JAVA applications.
  • Restrict execution of PowerShell/WSCRIPT in enterprise environment. Ensure installation and use of the latest version (currently v6.2.2) of PowerShell, with enhanced logging enabled, script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  • Control outbound DNS access. Permit internal enterprise systems to only initiate requests to, and receive responses from, approved enterprise DNS caching name servers. Monitor DNS activity for potential indications of tunneling and data exfiltration, including reviewing DNS traffic for anomalies in query request frequency and domain length, and activity to suspicious DNS servers. The dnscat2 tool alternates between CNAME, TXT, and MX records when it is operating. Investigate abnormal amounts of these records going to the same second level domain, or a group of second level domains.
  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
  • Consider deploying Microsoft’s Enhanced mitigation Experienced Toolkit (EMET) which provides end node protection against zero-day vulnerabilities and blocks and prevents memory-based attack approaches.
  • Enhance the Microsoft Office security by disabling ActiveX controls, Macros, Enabling Protect View, File Protection Settings.
  • Apply software Restriction policies appropriately. Disable running executables from unconventional paths.
  • Protect against drive-by-downloads through controls such as Browser JS Guard
  • Leverage Pretty Good Privacy in mail communications. Additionally, advise the users to encrypt / protect the sensitive documents stored in the internet facing machines to avoid potential leakage
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e. the extension matches the file header).
  • Block the attachments of file types, “exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf”
  • If using VPN services to access organizational networks, consider configuring mandatory 2 Factor authentication. It is recommended to consider an additional form of authentication, prior to granting access to internal network resources.
  • Consider limiting users’ access using VPN services to a single IP address at a time. No multiple simultaneous remote access by the same user should be allowed.
  • Consider Geo-limiting users access to known geographical locations. Use Geo Location analysis to identify impossible connections, such as a user calling from 2 points geographically remote in a short period of time.
  • Check if the VPN software writes session data to the remote workstation’s disk. If possible, use a connection method that keeps the data in memory only, preferably encrypted.
  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Enforce a strong password policy and implement regular password changes.
  • Enable a personal firewall on workstations.
  • Disable unnecessary services on agency workstations and servers.
  • Exercise caution when using removable media (e.g. USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs


DMARC, developed in 2012, is a protocol that uses both SPF and DKIM authentication to secure email, and additionally has a mechanism that sends the domain owner a report whenever an email fails DMARC validation. This means the domain owner is notified whenever an email sent by an unauthorized third party.

ProDMARC as a product is built on a mission to achieve a secure and spoofing free email channels across all of internet space; makes reporting of DMARC, providing volumes and trends of the outbound mails including that of phishing campaigns and yield confirmation for reliability of the outbound mails in terms of SPF, DKIM & DMARC conformance; smooth and uncomplicated. Summarizing, ProDMARC helps improve customer and third party trust in email communications.

Combining ProDMARC with ProPHISH, our offering to train your employees not to fall prey to the cyber-attacks, you can ensure that your first line of defense is well prepared not to get phished. ProPHISH provides threat simulation by recreating real life scenarios. This simulation helps in defining your existing employee awareness levels and basis on that, preparing a plan of action to increase employees’ knowledge levels.