If you didn’t have enough to worry about with the new coronavirus, here’s one more thing: Scammers are using the outbreak to steal your information through phishing attempts or to lure you into downloading a different kind of virus.
Cybersecurity firm Check Point announced today that over 4,000 coronavirus-related domains — that is, they contain words like “corona” or “covid” — have been registered since the beginning of 2020. Of those, 3 percent were considered malicious and another 5 percent were suspicious. Three percent might not seem like much, but according to Check Point, this means that a coronavirus-related domain is 50 percent more likely to be malicious than any other domain registered during the same time period. Check Point believes many of those malicious sites will be used in phishing campaigns. Phishing emails are ones that appear to be from a trusted source, tricking you into providing sensitive information, downloading malware, or clicking a link to a website that can do either.
It is common for scammers to take advantage of emergencies — moments when people are scared, desperate, and at their most vulnerable — to propagate scams. The coronavirus epidemic is no different, and bad actors all over the world are finding ways to use coronavirus warnings as a veil for malware attacks. As the outbreak spreads across the US, computer users in the country will likely become a more frequent target.
“National emergencies and/or disasters add a fear factor that acts as one more hook for hackers to get what they need,” Ron Culler, senior director of technology and solutions at ADT Cybersecurity, told Recode. “When fear is added to any targeted campaign — be it a legitimate or scam campaign — the effectiveness of that campaign is increased.”
A few days ago, the World Health Organization (WHO) put out a warning about phishing attempts via emails from apparent WHO representatives. The agency is getting reports of coronavirus-related phishing attempts on a nearly daily basis, according to the Wall Street Journal. Meanwhile, cybersecurity firm Proofpoint has also found a rash of WHO-branded phishing attempts as well as coronavirus-themed phishing emails from other health-related organizations. Some of these phishing attempts even appear to come from internal company emails.
Check Point said that the “most prominent” coronavirus phishing campaign in January came from emails pretending to be from a Japanese disability welfare service provider. The emails included an attachment that claimed to say where the virus was spreading to Japanese cities; it actually contained a computer virus that would spread to the victim’s computer. Another scam campaign targeted Italian organizations; it was an email from someone pretending to be a doctor for WHO’s Italian branch. The email included a file that was supposed to be a document with precautionary measures but was actually malware. One big clue that the email was from a scammer? It came from a non-who.int email address.
“We regularly observe campaigns with extremely topical lures, like the coronavirus, in hundreds of thousands to millions of socially engineered emails every day,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told Recode. “This information is legitimately being distributed by organizations to inform their employees and partners, thus giving threat actors a place to mix in their malware lures among the legitimate informational messages being sent.”
Proofpoint has taken to posting threats on its Threat Insight Twitter account as it comes across them because there are too many out there for blog posts to keep up with.
“Campaign volumes have ranged from a dozen to over 200,000, and the number of campaigns is trending upwards. Initially, we were seeing about one campaign a day — we’re now observing three to four a day,” DeGrippo told Recode. “This increase underscores just how appealing these types of topical campaigns are for threat actors.”