The Eastern District of Virginia unsealed documents yesterday that describe Microsoft’s efforts to deter cybercriminals attempting to defraud customers by exploiting COVID-19. The new civil case allows the company to seize control of crucial domains that make up the criminal infrastructure, rendering it unable to perform cyber attacks.
According to yesterday’s press release, “Microsoft’s Digital Crimes Unit (DCU) first observed these criminals in December 2019, when they deployed a sophisticated, new phishing scheme designed to compromise Microsoft customer accounts.” The criminals allegedly tried to access emails, contact lists, and other sensitive information belonging to Microsoft customers using business email compromise (BEC) attacks. Although the company blocked much of the criminal activity, “Microsoft [recently] observed renewed attempts by the same criminals, this time using COVID-19-related lures in the phishing emails to target victims.”
BEC attacks have increased in prevalence over the last few years. They are essentially phishing emails designed “to look like they originated from an employer or other trusted source.” The recent phishing efforts “contained messages regarding COVID-19 as a means to exploit pandemic-related financial concerns and induce targeted victims to click on malicious links.” The links often prompted victims to grant access to their personal information. Microsoft suggested that its customers enable two-factor authentication on all accounts for protection against the attacks.
The FBI’s 2019 Internet Crime Report stated that BEC attacks are among the most costly complaints received by the Internet Crime Complaint Center (IC3) and represented about $1.7 billion in losses. COVID-19 phishing scams are on the rise, according to the Department of Justice.