Researchers at Israeli cybersecurity firm Check Point Software Technologies Ltd. say they have seen a 30 percent jump in coronavirus-related cyber-attacks in the past three weeks, with 192,000 such attacks per week globally.
These attacks involved fake websites with “corona” or “COVID” in their domain name, files with “corona” related names, or emails with coronavirus-related subject lines.
Among the attacks were phishing campaigns by hackers impersonating well-known organizations and companies such as the World Health Organization (WHO), Zoom, Microsoft or Google in a bid to steal information, the researchers said. Phishing is a fraudulent attempt to get sensitive information, such as usernames, passwords or credit card details, by hackers disguising themselves as trustworthy entities who send emails or instant messages to users.
As the coronavirus pandemic has isolated people at home and spurred digital work and communication, this year “has been an unprecedented opportunity for cyber-criminals,” the researchers said in a statement, adding that lockdowns have “supercharged” the use of phishing emails and fake websites.
Both Interpol and Europol have warned of huge spikes in COVID-19 fraud. In mid-April, Google reported that it saw more than 18 million daily malware and phishing emails related to COVID-19 scams sent via Gmail alone, in addition to the 240 million daily COVID-19 related spam messages.
Verizon’s 2019 Data Breach Investigations Report showed that 32% of corporate data breaches started with a phishing email. Phishing was present in 78% of cyber-espionage incidents.
The Check Point researchers found, for example, that cyber criminals recently sent malicious emails posing as the WHO, from the domain who.int. To lure victims, the email subject was “Urgent Letter from WHO: First human COVID-19 vaccine test/result update,” and it contained a file with malware. Victims who clicked on the file ended up downloading the malware, the researchers said.
The researchers also found two examples of emails supposedly sent by the United Nations and WHO asking for donations or funds to help fight the virus. The emails asked that the money be sent to several known compromised bitcoin wallets, the researchers said. People could make donations by clicking on a link and providing their credit card details and the amount they want to donate. The money would then be transferred to the bitcoin wallet, with banks unable to trace it.
“Donations support our work to ensure patients get the care they need and front-line workers get essential supplies,” the email from the fake WHO said.
“We will greatly appreciate your donation through the bitcoin wallet,” the letter from the fake UN said, giving the wallet address to which to donate. “Any amount donate, from a little as one dollar will go a long way to save lives.”
In the last three weeks, the researchers continued to see cyber criminals using fake Zoom domains for their phishing activity. In that time period, 2,449 new Zoom-related domains were registered, the researchers said. All of these domains were fake, leveraging the Zoom brand name to get users’ attention. Of these, 1.5% were found to be malicious websites (32), while 13% of them, or 320, were suspect though not yet proven malicious, the researchers said. Since January 2020, a total of 6,576 Zoom-related domains have been registered globally.
Zoom isn’t the only platform cyber criminals are utilizing. Microsoft Teams and Google Meet — communication and collaboration platforms set up by the tech giants that combine workplace chat, video meetings and file storage — have also been used to lure victims.
Recently, victims fell prey to phishing emails that came with the subject “You have been added to a team in Microsoft Teams.” The emails contained a malicious URL, and victims ended up downloading malware when they clicked on the “Open Microsoft Teams” icon. A fake Google Meets domain, first registered on April 27, didn’t lead victims to an actual Google website, the researchers said.
The researchers said users must protect themselves by being suspicious of any email or communication from a familiar brand or organization that asks you to click on a link or open an attached document, no matter how official it appears to be. “A legitimate email should never ask you to take these actions,” they said.
Users should also beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders; they should be cautious of files received via email from unknown senders, especially if they prompt a certain action one wouldn’t usually do. Users should also make sure they are ordering goods online from an authentic source. One way to do this is to not click on promotional links in emails, but instead Google the desired retailer and click the on the link from the Google results page.
Users should also be wary of “special offers,” like a $150 cure for the coronavirus, and they should make sure they do not reuse reuse passwords on different applications and accounts.