Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Attackers Adapt Techniques to Pandemic Reality

Over the past several months, threat actors have quickly shifted their tactics to take advantage of interest in the coronavirus, two studies find.

Attackers continue to use the theme of the coronavirus pandemic to create more convincing phishing lures and impersonate legitimate domains in an attempt to get past the strained cybersecurity of work-from-home employees, according to two reports released this week.

On average, almost 1,800 malicious or risky domains with coronavirus-related names have been registered every day, according to Palo Alto Networks, a cybersecurity provider. A third of the malicious domains — by far the largest share — targeted the United States, while other countries each accounted for less than 4% of the total.

The coronavirus theme also continued to be used in spam messages. In the first 100 days of the outbreak, the number of spam messages using coronavirus themes increased 26%, and the number of COVID-19-themed impersonation attacks jumped 30%, according to messaging security firm Mimecast. And because a large share of employees are working from home, where cyber defenses may not measure up, attackers are having more success, says Carl Wearn, head of e-crime for Mimecast. The number of URLs that were blocked following a user click rose 56% over the period, he says.

"If you look at the number of blocked URLs, it can only be accounted for by more people working at home," Wearn says. "People who are not used to seeing these types of e-mails and may not have awareness training at all — that increases stress and the chances of human error."

From fake Microsoft Teams e-mails to massive COVID-19-related domain registration, cybercriminals and fraudsters are betting that remote workers will be more likely to click on coronavirus-themed content. In early April, Microsoft noted the attackers were capitalizing on the fear of the virus to tempt users into clicking on links and parting with sensitive information, such as login credentials.  

"Our inboxes, mobile alerts, TVs, and news updates are all COVID-19, all the time," the company noted. "It's overwhelming and attackers know it. They know many are clicking without looking because stress levels are high and they’re taking advantage of that. That's why we're seeing an increase in the success of phishing and social engineering attacks."

At the same time, Microsoft noted that COVID-19-related threats only accounted for less than 2% of the total volume of threats the company tracks on a daily basis.

Similarly, Palo Alto Networks' research on coronavirus-related domain names found that about 7% of newly registered domains could be considered risky or malicious. The domain name research used data from threat-intelligence firm RiskIQ, which collected information on newly observed domains created with a list of coronavirus-related keywords, including "coronav," "covid," "ncov," "pandemic," "vaccine," and "virus."

Palo Alto Networks used a dataset of 1.2 million domains registered in the seven weeks between March 9 to April 19 — 1.2 million domains in total. The cybersecurity firm identified some 86,600 domains that its toolset considered risky. Nearly 80% of the domains hosted malware distribution servers, another 20% were used for phishing, and the remaining sliver, 0.2%, were command-and-control servers, Palo Alto Networks stated in its report.

"With COVID-19 driving a surge in cloud adoption, we see not only attacks targeting the cloud users but also threats originating from the cloud," the report stated, adding that "[t]hreats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack."

Hosted on AWS 

Amazon Web Services hosted an outsized share of the malicious and suspicious domains. While the provider hosted about 70% of all newly registered coronavirus-related domains, it hosted nearly 80% of the malicious or risky domains.

In its 100 Days of Coronavirus report, Mimecast found that total detection, spam volume, and impersonation all increased between the end of December and the end of March. Malware is the only attack type that Mimecast found had not increased over the time period.

Moreover, in the latter half of March and early April, the number of times users clicked on URLs in e-mail messages — and were blocked — rose significantly. Training remote workers should be a priority for companies, Mimecast's Wearn says.

"Cyber hygiene and the awareness of the threats is going to be the key things that gets people through this period," he says. "People need to be reminded about it."

Related Content

 

Check out this listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27660
PUBLISHED: 2020-11-30
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
CVE-2020-27659
PUBLISHED: 2020-11-30
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
CVE-2020-29127
PUBLISHED: 2020-11-30
An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi-bin/csp?cspid=&csppage=cgi_PgOverview&csplang=en is visit...
CVE-2020-25624
PUBLISHED: 2020-11-30
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...