Attackers Adapt Techniques to Pandemic Reality
Over the past several months, threat actors have quickly shifted their tactics to take advantage of interest in the coronavirus, two studies find.
May 5, 2020
Attackers continue to use the theme of the coronavirus pandemic to create more convincing phishing lures and impersonate legitimate domains in an attempt to get past the strained cybersecurity of work-from-home employees, according to two reports released this week.
On average, almost 1,800 malicious or risky domains with coronavirus-related names have been registered every day, according to Palo Alto Networks, a cybersecurity provider. A third of the malicious domains — by far the largest share — targeted the United States, while other countries each accounted for less than 4% of the total.
The coronavirus theme also continued to be used in spam messages. In the first 100 days of the outbreak, the number of spam messages using coronavirus themes increased 26%, and the number of COVID-19-themed impersonation attacks jumped 30%, according to messaging security firm Mimecast. And because a large share of employees are working from home, where cyber defenses may not measure up, attackers are having more success, says Carl Wearn, head of e-crime for Mimecast. The number of URLs that were blocked following a user click rose 56% over the period, he says.
"If you look at the number of blocked URLs, it can only be accounted for by more people working at home," Wearn says. "People who are not used to seeing these types of e-mails and may not have awareness training at all — that increases stress and the chances of human error."
From fake Microsoft Teams e-mails to massive COVID-19-related domain registration, cybercriminals and fraudsters are betting that remote workers will be more likely to click on coronavirus-themed content. In early April, Microsoft noted the attackers were capitalizing on the fear of the virus to tempt users into clicking on links and parting with sensitive information, such as login credentials.
"Our inboxes, mobile alerts, TVs, and news updates are all COVID-19, all the time," the company noted. "It's overwhelming and attackers know it. They know many are clicking without looking because stress levels are high and they’re taking advantage of that. That's why we're seeing an increase in the success of phishing and social engineering attacks."
At the same time, Microsoft noted that COVID-19-related threats only accounted for less than 2% of the total volume of threats the company tracks on a daily basis.
Similarly, Palo Alto Networks' research on coronavirus-related domain names found that about 7% of newly registered domains could be considered risky or malicious. The domain name research used data from threat-intelligence firm RiskIQ, which collected information on newly observed domains created with a list of coronavirus-related keywords, including "coronav," "covid," "ncov," "pandemic," "vaccine," and "virus."
Palo Alto Networks used a dataset of 1.2 million domains registered in the seven weeks between March 9 to April 19 — 1.2 million domains in total. The cybersecurity firm identified some 86,600 domains that its toolset considered risky. Nearly 80% of the domains hosted malware distribution servers, another 20% were used for phishing, and the remaining sliver, 0.2%, were command-and-control servers, Palo Alto Networks stated in its report.
"With COVID-19 driving a surge in cloud adoption, we see not only attacks targeting the cloud users but also threats originating from the cloud," the report stated, adding that "[t]hreats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack."
Hosted on AWS
Amazon Web Services hosted an outsized share of the malicious and suspicious domains. While the provider hosted about 70% of all newly registered coronavirus-related domains, it hosted nearly 80% of the malicious or risky domains.
In its 100 Days of Coronavirus report, Mimecast found that total detection, spam volume, and impersonation all increased between the end of December and the end of March. Malware is the only attack type that Mimecast found had not increased over the time period.
Moreover, in the latter half of March and early April, the number of times users clicked on URLs in e-mail messages — and were blocked — rose significantly. Training remote workers should be a priority for companies, Mimecast's Wearn says.
"Cyber hygiene and the awareness of the threats is going to be the key things that gets people through this period," he says. "People need to be reminded about it."
Related Content
Check out this listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.
About the Author
You May Also Like