Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Attackers Adapt Techniques to Pandemic Reality

Over the past several months, threat actors have quickly shifted their tactics to take advantage of interest in the coronavirus, two studies find.

Attackers continue to use the theme of the coronavirus pandemic to create more convincing phishing lures and impersonate legitimate domains in an attempt to get past the strained cybersecurity of work-from-home employees, according to two reports released this week.

On average, almost 1,800 malicious or risky domains with coronavirus-related names have been registered every day, according to Palo Alto Networks, a cybersecurity provider. A third of the malicious domains — by far the largest share — targeted the United States, while other countries each accounted for less than 4% of the total.

The coronavirus theme also continued to be used in spam messages. In the first 100 days of the outbreak, the number of spam messages using coronavirus themes increased 26%, and the number of COVID-19-themed impersonation attacks jumped 30%, according to messaging security firm Mimecast. And because a large share of employees are working from home, where cyber defenses may not measure up, attackers are having more success, says Carl Wearn, head of e-crime for Mimecast. The number of URLs that were blocked following a user click rose 56% over the period, he says.

"If you look at the number of blocked URLs, it can only be accounted for by more people working at home," Wearn says. "People who are not used to seeing these types of e-mails and may not have awareness training at all — that increases stress and the chances of human error."

From fake Microsoft Teams e-mails to massive COVID-19-related domain registration, cybercriminals and fraudsters are betting that remote workers will be more likely to click on coronavirus-themed content. In early April, Microsoft noted the attackers were capitalizing on the fear of the virus to tempt users into clicking on links and parting with sensitive information, such as login credentials.  

"Our inboxes, mobile alerts, TVs, and news updates are all COVID-19, all the time," the company noted. "It's overwhelming and attackers know it. They know many are clicking without looking because stress levels are high and they’re taking advantage of that. That's why we're seeing an increase in the success of phishing and social engineering attacks."

At the same time, Microsoft noted that COVID-19-related threats only accounted for less than 2% of the total volume of threats the company tracks on a daily basis.

Similarly, Palo Alto Networks' research on coronavirus-related domain names found that about 7% of newly registered domains could be considered risky or malicious. The domain name research used data from threat-intelligence firm RiskIQ, which collected information on newly observed domains created with a list of coronavirus-related keywords, including "coronav," "covid," "ncov," "pandemic," "vaccine," and "virus."

Palo Alto Networks used a dataset of 1.2 million domains registered in the seven weeks between March 9 to April 19 — 1.2 million domains in total. The cybersecurity firm identified some 86,600 domains that its toolset considered risky. Nearly 80% of the domains hosted malware distribution servers, another 20% were used for phishing, and the remaining sliver, 0.2%, were command-and-control servers, Palo Alto Networks stated in its report.

"With COVID-19 driving a surge in cloud adoption, we see not only attacks targeting the cloud users but also threats originating from the cloud," the report stated, adding that "[t]hreats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack."

Hosted on AWS 

Amazon Web Services hosted an outsized share of the malicious and suspicious domains. While the provider hosted about 70% of all newly registered coronavirus-related domains, it hosted nearly 80% of the malicious or risky domains.

In its 100 Days of Coronavirus report, Mimecast found that total detection, spam volume, and impersonation all increased between the end of December and the end of March. Malware is the only attack type that Mimecast found had not increased over the time period.

Moreover, in the latter half of March and early April, the number of times users clicked on URLs in e-mail messages — and were blocked — rose significantly. Training remote workers should be a priority for companies, Mimecast's Wearn says.

"Cyber hygiene and the awareness of the threats is going to be the key things that gets people through this period," he says. "People need to be reminded about it."

Related Content

 

Check out this listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
CVE-2020-36318
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
CVE-2021-28875
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
CVE-2021-28876
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...