As the world continues to shelter in place while reacting to the coronavirus, also known as COVID-19, it appears that hackers with nefarious intentions have taken a drastically different approach during these difficult times. Instead of dormancy, hacker groups are doing the opposite by rapidly increasing activity and tailoring attacks to capitalize on the fear with COVID-19 themed campaigns.
This is common when disasters happen; often, attackers shift tactics and techniques quickly to take advantage of the impacted target population. Relying on the target audience’s fear, uncertainty, and doubt, the attackers will use this to increase the effectiveness of exploitation.
Over the past few days, a large spike in COVID-19 themed web domains have been registered, likely for nefarious activities. A list of recently registered domains can be found here, and a small sample size is included below.
Although the exact intention is unknown, it is likely that the domains are quickly registered for nefarious activity. The activity could range from disinformation campaigns, deceptive benefit information, or domain squatting, in which an individual registers a domain in hopes that it is desired at a later date and drastically increases in value. Often hackers will quickly set up these domains for a specific campaign and then abandon or shutdown the domain once it has been identified as malicious in nature.
Attackers have already incorporated the societal impacts into malicious email campaigns, tailoring messages to provide unsuspecting users with information on the outbreak, testing sites, and other false information to increase effectiveness. This trend will likely continue as the pandemic unfolds. Phishing emails will continue to be altered as new information is made available, and different audiences are identified, like the one seen here from Forbes.
Underground markets and forums have been offering COVID-19 themed discounts on malware and compromised accounts. In an article linked here, Check Point uncovers hacker forms offering discounts among the community capitalizing on the increased activity. Using "COVID-19" will provide 15% off on all compromised Facebook accounts, other discount codes include COVID19 and coronavirus. This is likely due to an influx of activity and sellers looking to gain an advantage during this spike.
The only real course of action here is to be vigilant, educate users, and look for this type of suspicious activity internally. This activity is expected to increase as the pandemic continues to spread. Even if the activity is not COVID-19 themed, the malicious actors will adapt to another topic of interest. The following are some best practices that can help limit risk and keep your organization safe:
- Think before you click. Should you be receiving this information or content? Did you request it? Was this part of your normal communications? Is this expected?
- Update software. When was the last time I updated my software packages? Is this done manually or automatically? Do I need to upgrade to a newer version?
- Report suspicious activity. How should I handle malicious/unknown activity? If I have questions, who can I ask? Does this information need to be stored in a certain format before being shared? What is the process of reporting this?
Learn How To Identify Malicious Malware Today: