The surge in activity occurred on March 11, when the World Health Organization (WHO) declared the virus a pandemic. Since then the number of letters has been increasing daily. Data has shown that COVID-19 based attacks are much more successful than typical phishing attacks. Researchers have found that in recent letters cybercriminals use various strategies – for example, embedding in PDF files and SaaS services. In one example, an attacker wrote a letter about salary reductions to key employees of the company and stole their personal data. Researchers also noted that spyware turned out to be the most popular attachments in letters, with backdoors taking the second place. The most common spyware programs are AgentTesla, NetWire, and Hawkeye keyloggers and info stealers. With the AgentTesla keylogger, the infection cycle typically starts with a malicious office document that arrives as an e-mail attachment. The document uses the social engineering tactics to lure the user into running the embedded macro, which will download and install the malware executable. With the NetWire RAT, a criminal sends a phishing email with a malicious attachment to an employee working on a POS computer. If the employee opens the attachment, malware to harvest card data is downloaded or installed. Without proper security protections in place, these infections can remain undetected for months or years.
Keyloggers expose more than just card data; credentials for online accounts and applications such as email, property management systems (PMS) and internet browsers are also at risk. Other sensitive information typed by the user, including phone numbers, addresses and details from phone orders can also be compromised.
Using the combination of RAT with keylogging capabilities, a criminal could gather necessary information to commit identity theft and further compromise an organization’s network. HawkEye is a keylogger and credential-stealing malware that is usually spread through fraudulent emails and malicious Microsoft Word, Excel, PowerPoint, and RTF files. The keylogger is able to log keystrokes, capture screenshots, and send stolen data to its operators through encrypted email.