Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Attackers Adapt Techniques to Pandemic Reality

Over the past several months, threat actors have quickly shifted their tactics to take advantage of interest in the coronavirus, two studies find.

Attackers continue to use the theme of the coronavirus pandemic to create more convincing phishing lures and impersonate legitimate domains in an attempt to get past the strained cybersecurity of work-from-home employees, according to two reports released this week.

On average, almost 1,800 malicious or risky domains with coronavirus-related names have been registered every day, according to Palo Alto Networks, a cybersecurity provider. A third of the malicious domains — by far the largest share — targeted the United States, while other countries each accounted for less than 4% of the total.

The coronavirus theme also continued to be used in spam messages. In the first 100 days of the outbreak, the number of spam messages using coronavirus themes increased 26%, and the number of COVID-19-themed impersonation attacks jumped 30%, according to messaging security firm Mimecast. And because a large share of employees are working from home, where cyber defenses may not measure up, attackers are having more success, says Carl Wearn, head of e-crime for Mimecast. The number of URLs that were blocked following a user click rose 56% over the period, he says.

"If you look at the number of blocked URLs, it can only be accounted for by more people working at home," Wearn says. "People who are not used to seeing these types of e-mails and may not have awareness training at all — that increases stress and the chances of human error."

From fake Microsoft Teams e-mails to massive COVID-19-related domain registration, cybercriminals and fraudsters are betting that remote workers will be more likely to click on coronavirus-themed content. In early April, Microsoft noted the attackers were capitalizing on the fear of the virus to tempt users into clicking on links and parting with sensitive information, such as login credentials.  

"Our inboxes, mobile alerts, TVs, and news updates are all COVID-19, all the time," the company noted. "It's overwhelming and attackers know it. They know many are clicking without looking because stress levels are high and they’re taking advantage of that. That's why we're seeing an increase in the success of phishing and social engineering attacks."

At the same time, Microsoft noted that COVID-19-related threats only accounted for less than 2% of the total volume of threats the company tracks on a daily basis.

Similarly, Palo Alto Networks' research on coronavirus-related domain names found that about 7% of newly registered domains could be considered risky or malicious. The domain name research used data from threat-intelligence firm RiskIQ, which collected information on newly observed domains created with a list of coronavirus-related keywords, including "coronav," "covid," "ncov," "pandemic," "vaccine," and "virus."

Palo Alto Networks used a dataset of 1.2 million domains registered in the seven weeks between March 9 to April 19 — 1.2 million domains in total. The cybersecurity firm identified some 86,600 domains that its toolset considered risky. Nearly 80% of the domains hosted malware distribution servers, another 20% were used for phishing, and the remaining sliver, 0.2%, were command-and-control servers, Palo Alto Networks stated in its report.

"With COVID-19 driving a surge in cloud adoption, we see not only attacks targeting the cloud users but also threats originating from the cloud," the report stated, adding that "[t]hreats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack."

Hosted on AWS 

Amazon Web Services hosted an outsized share of the malicious and suspicious domains. While the provider hosted about 70% of all newly registered coronavirus-related domains, it hosted nearly 80% of the malicious or risky domains.

In its 100 Days of Coronavirus report, Mimecast found that total detection, spam volume, and impersonation all increased between the end of December and the end of March. Malware is the only attack type that Mimecast found had not increased over the time period.

Moreover, in the latter half of March and early April, the number of times users clicked on URLs in e-mail messages — and were blocked — rose significantly. Training remote workers should be a priority for companies, Mimecast's Wearn says.

"Cyber hygiene and the awareness of the threats is going to be the key things that gets people through this period," he says. "People need to be reminded about it."

Related Content

 

Check out this listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...