Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/13/2020
11:30 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Coronavirus-Related Cyber Attacks Jump 30%

Check Point Researchers document 192,000 coronavirus-related cyberattacks a week, citing impersonations of WHO, UN, and Zoom.

In the past two weeks, Check Point researchers documented 192,000 coronavirus-related cyber attacks a week, marking a 30% increase when compared to previous weeks. As researchers unpack that number, they cite a key observation: impersonations.

Hackers Impersonate WHO and UN

The World Health Organization (WHO) is a popular name hackers impersonate. Recently, cyber criminals sent malicious emails posing as the WHO from the domain “who.int” with the email subject “Urgent letter from WHO: First human COVID-19 vaccine test/result update” to lure victims into a trap. The emails contained a file named “xerox_scan_covid-19_urgent information letter.xlxs.exe” that contained the infamous Agent Tesla malware, a password stealing program that comes with a key logger for hackers to gather usernames and passwords from a victim’s device. Victims who clicked on the file ended up downloading the malware.

In addition, Check Point researchers found two examples of extortion emails allegedly sent by the United Nations (UN) and WHO that requested for funds to be sent into bitcoin wallets.

Zoom-like Domains Registrations Heighten

In the last 3 weeks, around 2,449 new Zoom-related domains were registered, in which 1.5% of these domains are malicious (32) and 13% are suspicious (320). Since January 2020 to date, a total of 6,576 Zoom-like domains have been registered globally. If you do the math, this means that nearly 37% of Zoom-related domains were registered in the last 3 weeks alone, since the advent of coronavirus pandemic.

Hackers Impersonate Microsoft Teams and Google Meets

Both Microsoft Teams and Google Meet are also being used to lure people into traps. Recently, victims fell prey to phishing emails that came with the subject “You have been added to a team in Microsoft Teams“. The emails contained a malicious URL, http://login\.microsoftonline.com-common-oauth2-eezylnrb\.medyacam\.com/common/oauth2/, and victims ended up downloading malware when clicking on the “Open Microsoft Teams” icon that led to this URL.  The actual link for Microsoft Teams is “https://teams.microsoft.com/l/team”.

Researchers also found fake Google Meets domains like “Googelmeets\.com”, which was first registered on April 27, 2020. The link did not lead victims to an actual Google website.

Coronavirus-related Domain Registrations Heighten

In the past three weeks, almost 20,000 (19,749) new coronavirus-related domains were registered, of which 2% of these domains are malicious (354) and another 15% are deemed suspicious (2,961).

Since the beginning of the outbreak, a total of 90,284 new coronavirus-related domains have been registered globally.

The Themes and Trends of Coronavirus-related Domain Registrations

As researchers analyzed the new coronavirus-related domains registered, they observed that the domains reflected the chronology of different stages of the pandemic outbreak.

  1. At the beginning of the outbreak, domains related to live maps (tracking geographic areas that saw a rise in coronavirus cases) were very common, as well as domains related to coronavirus symptoms.
  2. Towards the end of March, the focus shifted to relief packages and stimulus payments due to the economic plans executed by several countries.
  3. Then, domains related to life after the coronavirus became more common, as well as domains about a possible second wave of the virus.
  4. Along the entire pandemic timeframe, domains related to tests kits and vaccines remain very common, with slight increases as time goes on.

Check Point’s Manager of Data Research, Omer Dembinsky:

“We’ve noticed a change in the last three weeks. Hackers have gone into over-drive to take advantage of the coronavirus pandemic. If you unpack these latest cyber attacks, the theme of impersonation is a clear and strong one, especially around the WHO, the UN and Zoom. For example, the number of Zoom-like domain registrations in the past three weeks alone is staggering. More than ever, it is important to beware of lookalike domains and to be extra caution of unknown senders.”

How to Stay Protected

To stay safe, Check Point outlines the following guidelines:

  1. Beware of lookalike domains. Watch for spelling errors in emails or websites, and unfamiliar email senders.
  2. Beware of unknown senders. Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.
  3. Use authentic sources. Ensure you are ordering goods from an authentic source. One way to do this is to NOT click on promotional links in emails, and instead, Google your desired retailer and click the link from the Google results page.
  4. Beware of “special” offers. “An exclusive cure for coronavirus for $150” is usually not a reliable or trustworthy purchase opportunity. At this point of time there is no cure for the coronavirus and even if there was, it definitely would not be offered to you via an email.
  5. Do not reuse passwords. Make sure you do not reuse passwords between different applications and accounts.
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20491
PUBLISHED: 2021-04-16
IBM Spectrum Protect Server 7.1 and 8.1 is subject to a stack-based buffer overflow caused by improper bounds checking during the parsing of commands. By issuing such a command with an improper parameter, an authorized administrator could overflow a buffer and cause the server to crash. IBM X-Force ...
CVE-2021-22539
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
CVE-2021-31414
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
CVE-2021-26073
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
CVE-2021-26074
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...