The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Scammers are already targeting the next round of coronavirus relief checks


with Aaron Schaffer

Cybercriminals are flooding potential victims with scams using the pending coronavirus relief plan as bait.

That's according to a new report by researchers at cybersecurity firm Proofpoint. 

Stimulus checks outlined in the bill, which is expected to be passed by the House as early as today, have not been sent out yet. But already last week researchers discovered a campaign of thousands of emails that sought to trick Americans into filling out a phony form to “apply” for American Rescue Plan checks from the Internal Revenue Service. 

The emails encouraged recipients to download an Excel sheet which, once downloaded, launched a malicious software known as a Dridex that steals personal banking information and other login credentials. In reality, the payments are calculated and sent by the government automatically based on your taxes. 

This is just the latest example of how the global coronavirus crisis has spawned more scams than any other event in the past decade. 

“Pandemic-themed attacks remain ever-present, and we’ve never observed such a convergence around a single social engineering lure for such an extended time,” Sherrod DeGrippo, senior director for threat research and detection at Proofpoint, writes in the report. “These campaigns transcend borders, languages, and industries.”

The Proofpoint report also notes that hackers are playing on uncertainties around the pandemic and vaccine distribution to try to steal tax forms including W2, W9 and 1099 from businesses. 

Other emails that researchers found contained malicious software purported to be from Centers for Disease Control and Prevention, the, Department of Health and Human Services (HHS), the World Health Organization (WHO), and delivery company DHL. 

Researchers expect to see pandemic-themed financial scams escalate through the spring.

Hackers regularly impersonate the IRS around tax season. The ongoing pandemic has offered hackers an endless flow of new ways to manipulate potential victims.

As we get into tax season, plus the stimulus on top of that, I just see that there's going to be an epidemic of these as we get closer to April 15th, says Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. 

Campaigns such as those tracked by Proofpoint often serve as a jumping-off point for even more damaging cybercrime. The hackers behind the crimes often serve as initial brokers, selling the stolen credentials to other hackers to use. In some cases, hackers use the initial attacks to plant malware such as ransomware to reap a payday later on.

The scams could have lasting ramifications well past initial relief payments.

Proofpoint has identified a business link between the group behind W2 scams and fraudsters in Western Africa, specifically Nigeria, who have been accused of using stolen identities to commit unemployment fraud during the pandemic in states including Washington. 

More broadly, an initial report by the Labor Department inspector general found that scammers including cyber criminals stole at least $36 billion in unemployment benefits last year.

Given how many people are getting tax benefits and tax credits that they wouldn't have gotten before that, the value of that stolen W-2 just went up and cyber criminals will not have ignored that in the [stimulus package]," says Kalember.

Anticipating a new wave of fraud following the new relief bill, the state of California hired three outside cybersecurity firms to verify worker identities, the Los Angeles Times reports.

Government officials are also preparing for a new wave of scams.

The IRS warned last month of a scam email impersonating the agency asking tax professionals to share their electronic filing identification numbers. The scammers could use the information to file fraudulent tax returns.

A tip sheet released by the National Cybersecurity Alliance and the Internal Revenue Service yesterday warns individuals to be skeptical of any phone calls, emails or texts claiming to be from the IRS. The agency will almost always initiate contact through USPS first, it says.

The keys

China-linked hackers targeted SolarWinds software, researchers say.

Hackers from the Spiral hacking group used SolarWinds’s Orion software to gain access to a victim’s network last year, Secureworks researchers say

The researchers said that “characteristics of the activity suggest the group is based in China.” 

With access to the victim’s network, the Spiral hackers “would have been able to access intellectual property and data on customers of the victim, both of which would help with espionage goals,” Don Smith, senior director of cyber intelligence at Secureworks, told CyberScoop’s Sean Lyngaas.

Lawmakers say they’re reintroducing legislation to hold nation-state hackers accountable.

A bipartisan group of lawmakers led by Rep. Colin Allred (D-Tex.) is reintroducing a bill that would strip sovereign immunity from the hackers in U.S. courts, Allred’s office said in a statement. The bill was first introduced by Rep. Jack Bergman (R-Mich.) in 2019, and 67 lawmakers from both parties co-sponsored the legislation last Congress.

In 2019, Bergman and Rep. Andy Kim (D-N.J.) argued in an op-ed for the Hill that if Congress does not take action on foreign immunity for hackers, “foreign governments can continue to intimidate and silence Americans, invading their privacy and disrupting our democracy.”

A lawmaker announced a bill to ban wireless technology from voting machines.

The bill by Rep. Bob Gibbs (R-Ohio), which Gibbs’s office said was co-sponsored by three other Republican lawmakers, aims to ban “any wireless components” from being used in voting machines starting in 2022. It comes on the heels of new voting guidelines approved by the Election Assistance Commission that required that voting machines’ wireless capabilities be disabled but did not outright ban the technology from the machines. Some security experts said that requirement did not go far enough in reigning in the possibility of attacks on U.S. voting systems.

“After such a contentious election, taking steps that actually reduce Americans’ confidence is the last thing Congress or the EAC should be doing,” Gibbs said in a statement, later noting that “it makes absolutely zero sense for a federal agency responsible for assisting states in securely and safely administering their elections to actually weaken security standards.”

Global cyberspace

China hacking concern revives India cybersecurity plan focus (Bloomberg)

Cyber insecurity

Spanish police arrested scammers who impersonated banks in text messages.

The four are accused of managing a malware strain that affected as many as 60,000 Android devices and were arrested, the Record’s Catalin Cimpanu reports. Researchers say that the group stole 11 million phone numbers, the equivalent of 25 percent of Spain’s population. The malware, known as FluBot, tricked users into entering their log-in information on fake bank log-in pages that sent the credentials to the hackers. 

Ransomware gang fully doxes bank employees in extortion attempt (Motherboard)

The network

Network expert Chris Finan is launching a cybersecurity start-up.

Chris Finan, a director for cybersecurity legislation and policy in President Barack Obama’s National Security Council, is the chief operating officer of ActZero, a newly-launching cybersecurity company focused on protecting small and medium-size businesses from ransomware with artificial intelligence and machine learning. The start-up’s CEO is Sameer Bhalotra, the Obama administration’s senior director for cybersecurity, and the company is backed by Point72 Hyperscale.


  • Rep. Jim Langevin (D-R.I.), the chair of the House Armed Services Committee’s cyber panel; Eric Goldstein, the Cybersecurity and Infrastructure Security Agency’s executive assistant director for cybersecurity; and Debra Jordan, the deputy chief of the Federal Communications Commission’s homeland security bureau, speak at an event hosted by the Center for Strategic and International Studies today at 11 a.m. 
  • The Aspen Institute hosts an event on international Internet blackouts today at noon.
  • Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, and Eric Goldstein testify before a House Appropriations Committee panel on Wednesday at 10 a.m.
  • Secretary of State Antony Blinken testifies before the House Foreign Affairs Committee on the United States’ foreign policy priorities on Wednesday at 1:30 p.m.
  • U.S. Cyber Command executive director Dave Frederick speaks at an event hosted by the Intelligence and National Security Alliance on Wednesday at 4:30 p.m.
  • A House Judiciary committee panel holds a hearing on technology competition and the press on Friday at 10 a.m. Microsoft president Brad Smith, whose company said China and other hackers attacked its email software recently, is expected to testify.
  • Former Google CEO Eric Schmidt, the chairman of a government commission on artificial intelligence, testifies with other commissioners at a joint hearing on Friday at 11 a.m.

Chat room

White House officials have pushed back on the New York Times's report that they are preparing “cyberstrikes” on Russia in retaliation for the cyberattack on SolarWinds and other software. CNBC's Eamon Javers:

Journalist and author Michael Weiss:

Politico's Eric Geller:


Georgetown Center for Security and Emerging Technology founding director Jason Matheny will join the Biden administration as deputy assistant to the president for technology and national security, deputy director for national security at White House Office and Science Technology Policy, and coordinator for technology and national security at the NSC.

Secure log off