Network Security & Management Enrollment No:
23012250410326
Experiment: 01
Aim: Prepare a case study on Phishing Attack on World Health
Organization (WHO), 2020
Introduction to the attack :-
Phishing is a deceptive and malicious cybercrime strategy that involves cybercriminals masquerading
as reputable, trustworthy, or familiar entities—such as well-known financial institutions, e-
commerce platforms, government bodies, healthcare organizations, or popular websites—in order
to manipulate individuals into voluntarily disclosing confidential and sensitive information. This may
include usernames, passwords, credit card numbers, social security details, banking credentials, or
other forms of personally identifiable information (PII). The attackers craft seemingly legitimate
communications, often in the form of emails, messages, fake websites, or phone calls, that exploit
human psychology through tactics like urgency, fear, or authority. Victims are typically lured into
clicking on malicious links, downloading infected attachments, or filling out forms on counterfeit
web pages. Once the user falls into the trap, the stolen data can be used for identity theft, financial
fraud, unauthorized access to personal or corporate accounts, or even sold on the dark web.
Phishing remains one of the most prevalent and effective attack vectors in the cyber threat
landscape due to its low cost, ease of deployment, and high success rate in bypassing traditional
technical defenses.
Types of Ransomware Attacks :-
2. Types of Phising attacks
Email Phishing
Mechanism: The most common type. Attackers send mass emails that appear to be
from trusted sources (banks, government, etc.) asking users to click a malicious link
or download a harmful file.
Impact: Identity theft, financial loss, malware infection, credential compromise.
Examples: “You have won a prize. Click here to claim!”
Spear Phishing
�Network Security & Management Enrollment No:
23012250410326
Mechanism: Highly targeted attack sent to a specific person or organization. Attackers
use personal information (like name, job role, or company) to trick the victim into
believing the email is genuine.
Impact: Unauthorized access to systems, data breaches, targeted fraud.
Examples: A fake email to a company’s finance employee pretending to be their boss
asking for an urgent fund transfer.
Whaling
Mechanism: A form of spear phishing that targets high-level executives like CEOs,
CFOs, or government officials.
Impact: Massive financial fraud, confidential data leaks, business disruption.
Examples: Fake legal notices or requests for sensitive business information sent to the
CEO.
Smishing (SMS Phishing)
Mechanism: Phishing via SMS text messages. Attackers send fake messages
containing malicious links or ask for personal data.
Impact: Mobile banking fraud, account takeover, installation of spyware.
Examples: 'Your bank account is locked. Click here to verify your identity.'
Vishing (Voice Phishing)
Mechanism: Phishing via phone calls. Attackers impersonate officials or customer
service agents to extract sensitive info verbally.
Impact: Users share OTPs, card numbers, or passwords; leads to financial theft.
Examples: Fake calls claiming to be from your bank, asking for your OTP or PIN.
Clone Phishing
Mechanism: A legitimate email is copied, but its attachment or link is replaced with a
malicious one.
Impact: Exploits trust, spreads malware or steals login credentials.
Examples: A forwarded email from your company’s IT team asking to “update your
login credentials.”
Pharming
�Network Security & Management Enrollment No:
23012250410326
Mechanism: Users are redirected from a real website to a fake one (without clicking a
link) due to DNS poisoning or malware.
Impact: Login info stolen without user clicking a link; used for further attacks.
Examples: Typing in your bank's correct URL but getting redirected to a fake login
page.
Angler Phishing (Social Media Phishing)
Mechanism: Attackers impersonate customer support or company representatives on
social media.
Impact: Data theft, tricking users into clicking on phishing links or fake login portals.
Examples: A fake Twitter handle replies to your complaint and asks you to 'log in
here to verify your identity.'
3. Real-World Example:
WHO Phishing Attack (March–April 2020) During the early phase of the COVID-19
pandemic in March 2020, the World Health Organization (WHO) was targeted by a phishing
campaign launched by advanced cyber threat actors. Exploiting the global panic, attackers
created fake websites and email addresses to impersonate WHO’s internal systems and staff.
The primary aim was to steal credentials of WHO employees and partners to gain
unauthorized access to confidential pandemic-related information. This attack occurred at a
time when the WHO was leading global coordination on pandemic response, making it a
high-value target for cyber espionage. Detailed Timeline and Impact: Early March 2020:
WHO’s IT security team noticed suspicious domain registrations mimicking WHO
infrastructure. Mid-March 2020: Threat actor group “DarkHotel” launched a phishing
campaign using a fake WHO login portal (who-safety.org). March 13, 2020: WHO publicly
confirmed an increase in phishing attempts, especially those impersonating COVID-19
response portals. Late March 2020: Multiple WHO staff members received phishing emails
with links to the fake portal. April 2020: The attackers were unable to fully breach the WHO
network, but the attempted intrusion was confirmed. WHO cyber teams and partner
organizations investigated and neutralized the threat. Day 0 (Early March 2020):- Initial
Threat Detected WHO’s IT team noticed suspicious domain registrations closely resembling
official WHO URLs (e.g., who-safety.org). Phishing emails mimicking WHO COVID-19
portals began circulating. Challenge: Detecting lookalike domains quickly enough before
�Network Security & Management Enrollment No:
23012250410326
they were used in phishing campaigns. Immediate Response: Internal security teams flagged
and began tracking phishing indicators. Started collaboration with external cybersecurity
firms. Day 1–3:- Phishing Campaign Launch WHO employees began receiving phishing
emails containing links to the fake login portal. Emails were highly personalized, likely from
prior data leaks or open-source info. Challenges: Preventing staff from clicking malicious
links. Verifying the scale of phishing attempts and identifying victims. Immediate Response:
Affected users were instructed to reset credentials. Email systems were updated with
enhanced filtering rules. Public advisory warning issued to staff and global partners. Day 4–
7:- Investigation and Containment WHO confirmed attempts by attackers to harvest login
credentials using spoofed portals. The cyberattack was linked to DarkHotel APT group,
known for espionage campaigns. Challenges: Assessing if any credentials had already been
compromised. Identifying potential data exposure or internal system access. Immediate
Response: WHO began working with private security companies (e.g., Group-IB, Recorded
Future). Several malicious domains were taken offline. Suspicious login attempts were geo-
blocked and flagged. Day 8–14:- System Hardening Begins IT teams reviewed authentication
systems and added multi-factor authentication (MFA) where absent. Additional phishing
simulations were introduced for employee training. Challenges: Coordinating response across
multiple global offices and time zones. Implementing cybersecurity upgrades without
interrupting ongoing COVID-19 operations. Immediate Response: WHO's internal CERT
(Computer Emergency Response Team) enforced password resets globally. Incident report
drafted and shared with stakeholders. Technical Details and Vulnerabilities: 1. Attack
Technique Overview:- The phishing campaign targeting WHO in early 2020 used a
combination of social engineering and domain spoofing techniques. The attackers attempted
to create deceptively similar domains and login portals to trick WHO employees into entering
their credentials, thereby compromising internal systems and gaining access to sensitive
pandemic-related information. 2. Technical Mechanisms Used:- Spoofed Domain:- Domains
like who-safety.org were registered to closely imitate WHO’s official sites, tricking users into
trusting them. Fake Login Pages:- Exact replicas of WHO’s internal authentication pages
were hosted on the spoofed domains, used to steal credentials. Phishing Emails:- Customized
spear-phishing emails were sent to WHO employees, often containing their names and
department details. HTTPS Certificates:- Fake sites used SSL certificates to appear secure
(green padlock), increasing their legitimacy. Geolocation Misdirection:- Domains and servers
were hosted in regions making traceability harder, using bulletproof hosting services. 3.
Vulnerabilities Exploited:- Lack of Domain Monitoring:- WHO was unaware of the spoofed
�Network Security & Management Enrollment No:
23012250410326
domain registration until phishing attempts had already started. No Multi-Factor
Authentication (MFA):- Accounts with stolen passwords could be accessed without a second
verification step Open-Source Intelligence (OSINT) Exposure:- Publicly available
information (employee names, roles, contact data) was used to create believable phishing
emails. Email Filtering Weaknesses:- Some phishing emails bypassed WHO’s email security
and landed in user inboxes. Limited Real-Time Intrusion Detection:- Early detection of
credential harvesting was delayed, increasing potential exposure time. 4. Potential Exploits
(Though Not Confirmed Publicly) Credential Reuse Attacks: If staff used the same passwords
across platforms, attackers could gain access to more than WHO systems. Lateral Movement
Risk: If credentials were stolen successfully, attackers could move through WHO’s internal
network—compromising sensitive pandemic data. No Segmentation of Access Rights: Some
user accounts had broad access, making them high-value phishing targets. 5. Attribution
Cybersecurity researchers, including those from Group-IB, linked the attack to DarkHotel
APT, a state-sponsored threat group known for: High-level espionage Exploiting zero-day
vulnerabilities Targeting government and health organizations in Asia Week 3–4 (Late March
– Early April) Full Mitigation and Policy Reform WHO confirmed no significant data breach
occurred. Organizations collaborating with WHO were advised to strengthen their
cybersecurity protocols. Long-Term Challenge: Preventing future phishing attempts during
high-risk periods like pandemics. Restoring confidence among global partners and donors.
Strategic Measures: Setup of real-time domain monitoring systems. Security awareness
integrated into WHO’s digital governance. Collaboration initiated with UN cybersecurity task
forces.
4. Prevention Strategies
To prevent phishing attacks like the one experienced by the World Health Organization
(WHO) in 2020, organizations must adopt a multi-layered cybersecurity approach combining
technical, human, and strategic measures. One of the most effective technical defenses is
implementing multi-factor authentication (MFA), which ensures that even if a password is
stolen, unauthorized access is still blocked. In addition, advanced email filtering systems
should be deployed to detect and block malicious attachments, spoofed domains, and
suspicious links before they reach users. Organizations must also engage in continuous
domain monitoring to identify and shut down phishing websites impersonating their brand.
From a human perspective, regular cybersecurity awareness training and phishing simulations
�Network Security & Management Enrollment No:
23012250410326
help employees recognize and report suspicious activity. Adopting a Zero Trust security
model—where no device or user is automatically trusted—further minimizes internal risks.
Strategically, it's important to enforce role-based access control and conduct frequent security
audits to identify vulnerabilities. Lastly, having robust incident response plans and offline
data backups ensures the organization can recover quickly with minimal damage if an attack
occurs. These prevention strategies, when combined, significantly reduce the likelihood and
impact of phishing attacks.
5. Conclusion
The phishing attack on the World Health Organization (WHO) during the early stages of the
COVID-19 pandemic in 2020 served as a critical reminder of how vulnerable even the
world’s most trusted institutions can be during times of crisis. Although no major data breach
was officially reported, the sophisticated nature of the attack and its targeting of pandemic-
related information highlighted the increasing use of phishing for cyber espionage and
intelligence gathering. The attackers exploited social engineering, spoofed domains, and gaps
in WHO’s digital defenses, particularly the absence of multi-factor authentication and real-
time domain monitoring. This incident exposed serious cybersecurity challenges, such as
limited global coordination, underprepared staff, and outdated protection protocols. However,
WHO’s quick response—including domain takedown, enhanced email filtering, and
upgraded internal systems—helped mitigate the threat. The case underscores the urgent need
for continuous security awareness, strong technical controls, and a Zero Trust approach
across all organizations, especially those managing critical health or governmental
infrastructure. As phishing attacks become more targeted and sophisticated, proactive
prevention, incident readiness, and human vigilance remain essential pillars of
defense.Prevention, preparedness, and quick response are the pillars of effective ransomware
defense. By adopting a proactive and resilient approach to cybersecurity, institutions can
protect their systems, safeguard data, and maintain continuity even in the face of evolving
cyber threats.
