Cyber Incident Victim: PXMart
Date:
Sep 2020
Location:
Taiwan
Summary
Cybercriminals impersonated medical authorities and exploited COVID-19 themes to conduct social engineering attacks, including cloning a supermarket chain's Facebook page with fraudulent free mask offers to compromise victims. Phishing campaigns impersonated trusted health organizations, distributing malicious email attachments like macro-laden PowerPoint files that established backdoor connections to attackers' servers, while fabricated Zoom meeting notifications created urgency to harvest credentials. These tactics targeted businesses and medical facilities, aiming to disrupt critical systems and spread malware from home networks to enterprise infrastructure. The incidents highlighted risks to remote work environments and attempts to sabotage operations rather than solely stealing data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2020, Taiwan's Computer Emergency Response Team (TWCERT/CC) reported a cyber incident targeting local supermarket chain PXMart as part of a broader wave of COVID-19-themed attacks. Attackers cloned PXMart's official Facebook fan page and promoted a fraudulent offer for free face masks, leveraging pandemic-related anxieties to increase victim engagement. This social engineering tactic aimed to compromise users who interacted with the fake promotion, though specific technical payloads or attacker objectives beyond "doing something nasty" were not detailed in public disclosures. The incident occurred amid a documented surge in malicious domain registrations and impersonation campaigns against Taiwanese organizations, with threat actors posing as trusted health authorities like the World Health Organization and the U.S. Centers for Disease Control. TWCERT/CC analysts observed that attackers systematically exploited public demand for protective equipment during the pandemic's early stages to enhance phishing success rates.
The PXMart incident coincided with related operations by the Mustang Panda threat group, which in June 2020 impersonated Taiwan's Ministry of Health and Welfare through phishing emails offering medical supplies. These emails contained malicious PowerPoint attachments with macros that established backdoor connections to attacker-controlled servers. Linguistic analysis revealed inconsistencies in the attackers' use of terminology—specifically referencing mainland China's "National Health Commission" while using Taiwan's traditional Chinese characters—providing forensic clues about potential origins. Concurrently, attackers distributed fake Zoom meeting notifications targeting video conferencing users, creating false urgency to harvest credentials. TWCERT/CC director Chih-Hung Lin noted that while medical sector attacks focused on disrupting critical system access rather than data theft, remote work arrangements amplified risks as compromised home networks could propagate malware to corporate infrastructure. The center publicly documented these coordinated tactics to raise awareness but did not disclose specific remediation measures taken by PXMart or victim organizations.