As the coronavirus crisis continues to capture everyone\u2019s attention, cybercriminals stay busy running scams and delivering malware using the attention-getting virus as a lure. The threats from the scammers and crooks, which began as early as January and continue unabated, range from tricking people out of their financial data to delivering pernicious malware.Although some scammers use novel techniques to commit their crimes, many schemes rely on tried-and-true phishing methods that exploit unpatched software flaws that sometimes have stayed unfixed for years. On April 1, the US Secret Service (USSS) sent out an information alert, \u201cFraudulent COVID-19 Emails with Malicious Attachments,\u201d that warns about messages masquerading as COVID-19 status emails\u00a0 from employers, merchants and other businesses.The USSS has uncovered attempted attacks that, using these faux alerts, sought to remotely install malware on the infected system to \u201charvest financial credential, install keyloggers, or lockdown the system with ransomware.\u201d The malicious attachments are usually Microsoft Office or WordPad file types that exploit a now-patched vulnerability in Microsoft Office, according to the alert. However, the Secret Service says that variations exist and attack vectors evolve.Patch Microsoft Office vulnerability CVE-2017-11882Mark Coleman, assistant to the special agent in charge at the USSS\u2019s Criminal Investigative Division, tells CSO that the malware spreaders were seeking to exploit the two-decades-old Microsoft Office memory corruption vulnerability CVE-2017-11882, for which Microsoft released a security patch in November 2017. CVE-2017-11882 is a common, and even \u201cprolific\u201d technique for attackers to spread malware, involved in over 600 incidents through the first three quarters of 2019, according to researchers at Cofense.The Secret Service also said that phishing emails disguised as coming from a hospital, with the recipient notified they might have come in contact with a coronavirus-infected person, also carry malware attached to a downloadable Excel file, which exploits the same Office flaw. \u201cSimilar to the fraudulent corporate COVID-19 emails, these were Excel .XLSM files that likely were attempting to exploit the same CVE-2017-11882 Microsoft Office vulnerability,\u201d says Coleman.The malware can steal login credentials, open shares on the networks, and view all files and folders as well as discover and take cryptocurrency information. A variation on this attack is an email purportedly from the US Department of Health and Human Services (HHS) targeting medical suppliers asking them to provide protective medical equipment from an attached list that contains malware.The HHS scammers sent emails that contained a .EXE file attachment that carried a .PDF extension prefix in the file name, Coleman says, a technique used to fool the recipients into believing they were opening a PDF file containing a list of needed supplies. Coleman says they think the executable deployed Agent Tesla to the potential victim user, which logs keystrokes and captures credentials. Agent Tesla is a time-tested piece of malware that also exploits CVE-2017-11882. It has been sold to thousands of cybercrooks who pay subscription fees at varied levels to license the software.Multiple reports of COVID-19 scamsThis combination of exploiting an irresistible topic and old and unpatched vulnerabilities is powerful. \u201cIt is extremely normal for people that target vulnerabilities to use really old vulnerabilities,\u201d Roger Grimes, a former security specialist at Microsoft and now a data driven defense evangelist at KnowBe4, tells CSO. Around 25% of organizations never get around to applying any given patch after it\u2019s pushed out, he says.This creates the perfect conditions for madly successful phishing campaigns. Around 80% to 90% of all successful exploits happen because of social engineering, Grimes says, and 20% to 40% of successful exploits happen because of unpatched software. Together they account for 90% of all risks within organizations.\u201cWe\u2019ve seen a 670% increase in phishing in March mostly because of COVID campaigns. It\u2019s amazing how much effort and vigor phishers have,\u201d Grimes says.Whether using proven or novel methods, scammers and malware purveyors show no signs of slowing down as they piggyback on the fears surrounding coronavirus:Like the Secret Service, the Better Business Bureau received reports of individuals posing as HHS employees using SMS messages to spread word of a supposed online coronavirus test, which in reality led to data-stealing malware.Researchers at KnowBe4 reported the same kind of \u201cyou\u2019ve come into contact with a coronavirus-infected person\u201d phishing email that the Secret Service referenced. This phishing campaign delivers malware that serves as a trojan downloader and detected by only a handful of major anti-virus applications.Researchers at IBM X-Force Threat Intelligence identified emails claiming to be sent by the US SBA that appear to be a confirmation email for an application for disaster assistance. Instead, the emails deliver attachments that, when opened, execute Remcos malware that installs a remote access Trojan (RAT).Relatively early on in the coronavirus crisis in Western nations, the UK\u2019s NCSC warned of the creation of phishing campaigns pegged to the coronavirus crisis, saying back in mid-March that cybercriminals were creating phishing landing pages at a rapid clip.Worldwide crackdown on COVID-19 scammersConsequently, law enforcement agencies worldwide are vowing to crack down on the criminals riding in on the wave of this deadly disease. US Attorney Offices around the nation have announced their active interest in prosecuting cybercriminals, including the US Attorneys Offices for the Southern District of California and Western District of Louisiana.Earlier this week, the US Attorney\u2019s Office in South Carolina even formed a \u201cCOVID Strike Team\u201d that pulls from a broad group of law-enforcement resources including US Attorney\u2019s Office, federal law enforcement officers from an array of agencies, officers with the South Carolina Law Enforcement Division (SLED), and members of the South Carolina Attorney General\u2019s Office.Other countries are pushing to prosecute COVID cybercriminals. This week Australia announced that its Signals Directorate is mobilizing its offensive capabilities to bring down any criminals that exploit the COVID-19 crisis.USSS\u2019s Coleman says that working with local law enforcement is key to nipping these scams in the bud. \u201cAs a leading federal agency responsible for investigating complex cyber-enabled fraud schemes and training state and local partners how to do the same, we believe in partnerships which act as a force multiplier,\u201d he says. \u201cBy so quickly and frequently disseminating criminal intelligence on real-time threats to the general public and other stakeholders, we are able to reduce the effectiveness and success of these emerging COVID-19 frauds.\u201dIn the meantime, a joint alert from the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom\u2019s National Cyber Security Centre (NCSC) issued on April 8 regarding the exploitation of COVID-19 by malicious cyber actors offers a series of steps organizations can take to mitigate the risks of these actors causing damage.\u00a0Regarding the kinds of phishing schemes flagged by the Secret Service, the guidance recommends that organizations:Make it difficult for attackers to reach your users.Help users identify and report suspected phishing emails (see CISA Tips, Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams).Protect your organization from the effects of undetected phishing emails.Respond quickly to incidents.