Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Attackers Adapt Techniques to Pandemic Reality

Over the past several months, threat actors have quickly shifted their tactics to take advantage of interest in the coronavirus, two studies find.

Attackers continue to use the theme of the coronavirus pandemic to create more convincing phishing lures and impersonate legitimate domains in an attempt to get past the strained cybersecurity of work-from-home employees, according to two reports released this week.

On average, almost 1,800 malicious or risky domains with coronavirus-related names have been registered every day, according to Palo Alto Networks, a cybersecurity provider. A third of the malicious domains — by far the largest share — targeted the United States, while other countries each accounted for less than 4% of the total.

The coronavirus theme also continued to be used in spam messages. In the first 100 days of the outbreak, the number of spam messages using coronavirus themes increased 26%, and the number of COVID-19-themed impersonation attacks jumped 30%, according to messaging security firm Mimecast. And because a large share of employees are working from home, where cyber defenses may not measure up, attackers are having more success, says Carl Wearn, head of e-crime for Mimecast. The number of URLs that were blocked following a user click rose 56% over the period, he says.

"If you look at the number of blocked URLs, it can only be accounted for by more people working at home," Wearn says. "People who are not used to seeing these types of e-mails and may not have awareness training at all — that increases stress and the chances of human error."

From fake Microsoft Teams e-mails to massive COVID-19-related domain registration, cybercriminals and fraudsters are betting that remote workers will be more likely to click on coronavirus-themed content. In early April, Microsoft noted the attackers were capitalizing on the fear of the virus to tempt users into clicking on links and parting with sensitive information, such as login credentials.  

"Our inboxes, mobile alerts, TVs, and news updates are all COVID-19, all the time," the company noted. "It's overwhelming and attackers know it. They know many are clicking without looking because stress levels are high and they’re taking advantage of that. That's why we're seeing an increase in the success of phishing and social engineering attacks."

At the same time, Microsoft noted that COVID-19-related threats only accounted for less than 2% of the total volume of threats the company tracks on a daily basis.

Similarly, Palo Alto Networks' research on coronavirus-related domain names found that about 7% of newly registered domains could be considered risky or malicious. The domain name research used data from threat-intelligence firm RiskIQ, which collected information on newly observed domains created with a list of coronavirus-related keywords, including "coronav," "covid," "ncov," "pandemic," "vaccine," and "virus."

Palo Alto Networks used a dataset of 1.2 million domains registered in the seven weeks between March 9 to April 19 — 1.2 million domains in total. The cybersecurity firm identified some 86,600 domains that its toolset considered risky. Nearly 80% of the domains hosted malware distribution servers, another 20% were used for phishing, and the remaining sliver, 0.2%, were command-and-control servers, Palo Alto Networks stated in its report.

"With COVID-19 driving a surge in cloud adoption, we see not only attacks targeting the cloud users but also threats originating from the cloud," the report stated, adding that "[t]hreats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack."

Hosted on AWS 

Amazon Web Services hosted an outsized share of the malicious and suspicious domains. While the provider hosted about 70% of all newly registered coronavirus-related domains, it hosted nearly 80% of the malicious or risky domains.

In its 100 Days of Coronavirus report, Mimecast found that total detection, spam volume, and impersonation all increased between the end of December and the end of March. Malware is the only attack type that Mimecast found had not increased over the time period.

Moreover, in the latter half of March and early April, the number of times users clicked on URLs in e-mail messages — and were blocked — rose significantly. Training remote workers should be a priority for companies, Mimecast's Wearn says.

"Cyber hygiene and the awareness of the threats is going to be the key things that gets people through this period," he says. "People need to be reminded about it."

Related Content

 

Check out this listing of free security products and services compiled for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4306
PUBLISHED: 2020-05-29
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 17...
CVE-2020-4352
PUBLISHED: 2020-05-29
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
CVE-2020-4490
PUBLISHED: 2020-05-29
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 18...
CVE-2020-5572
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
CVE-2020-5573
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.