"COVID-19 Pandemic Relief Efforts Update" "COVID cleaning services" "Keeping Schools Safe from COVID-19 & Hazardous Disinfectants" "COVID lawsuits: Are you ready?"

While the COVID-19 pandemic is still part of nearly every conversation and every headline, email subject headings like those above might not raise alarm bells for the average recipient. In fact, even security defenses may struggle to recognize them as malicious. Nevertheless, they are a subset of phishing lures that researchers have dubbed "fearware," which arose at the beginning of the pandemic and continue to proliferate with the same nagging persistence as the virus.

"It might not be in your face, like, 'You have to click this or you get COVID!'" says Darktrace director of threat hunting Max Heinemeyer. However, the underlying theme, he says, is always fear.

That fear comes mixed in with some of social engineers' tried-and-tested go-to click inducers: a pinch of curiosity and a dash of urgency. "Click this to see how many people in your neighborhood are infected now," for example, Heinemeyer says. Or, "What does the new guidance mean for your child?"

COVID fearware techniques and perpetrators have varied widely, says Heinemeyer.

Phishing sites claimed to sell discounted personal protective equipment. Watering hole attacks targeted iOS users in Hong Kong with poisoned local news links. Widespread impersonation attacks purported to come from official sources like the World Health Organization. The Federal Communications Commission warned of phishing, SMiShing, and vishing campaigns around the availability of COVID-19 testing kits. The Department of Homeland Security issued a warning about a phishing attack that used the Small Business Association’s COVID-19 loan-relief program as bait, and used a spoofed version of the SBA’s loan-relief page to steal credentials.

But "The thing about fearware is that there's so much of it and every email is novel and bespoke," Heinemeyer says.

Danger in Numbers
As lockdown efforts began to hit the United Kingdom in mid-March, Darktrace detected that 18 percent of malicious emails were related to the pandemic or remote work; one week later, that number had jumped to 48 percent. Within six weeks it had risen above 6 in 10. In April, Google reported that nearly one-fifth of all phishing messages directed at Gmail users were related to the pandemic.

Some security researchers have said the huge spike in messages is not so much from phishing as it is from simple spam. But the volume of messages is, itself, threatening, Heinemeyer says.

"There [have been] so many novel campaigns," he explains. "There was so much it almost seemed like email defenses were overwhelmed."

Heinemeyer admits he’s biased -- because Darktrace is a company that is focused on detecting new, novel threats -- but he says that fearware has highlighted the security industry’s overreliance on historical threat data to battle current threats.

History doesn't repeat itself

Some email security tools claim to use machine learning, but there is a distinction between supervised ML and unsupervised ML.

Supervised ML trains on datasets of known spam, known fraud and the like, to predict what new, novel messages should also be characterized as malicious; but Heinemeyer argues that this is still fundamentally based in the past. Unsupervised ML (used by Darktrace) learns and re-learns about the individual environment from the bottom-up, then searches for anomalies.

Regardless of what defense you choose, the responsibility for fighting fearware or other attacks, says Heinemeyer, should not get foisted onto the end-user.

"I hate when the pressure is pushed on from vendors and technology to people," he says. "I love the idea of people being security-aware and not clicking phishing links. But come on. It hasn’t worked in like 30 years. And it shouldn't be the job of a mom-and-pop shop to be security-aware. They just want to do business."