In the past three two weeks, Check Point researchers have documented an average of 192,000 Coronavirus-related cyberattacks per week, marking a 30% increase compared to previous weeks.
Researchers found that a majority of these attacks start with phishing emails in which criminals impersonate the WHO, United Nations, Zoom, Microsoft or Google to try and trick users into clicking on links or opening infected documents.
High rate of malware attacks
The World Health Organisation’s name and logo is a popular choice for hackers to impersonate
The World Health Organisation’s name and logo is a popular choice for hackers to impersonate. Recently, cyber criminals sent malicious emails posing as the WHO from the domain ‘who.int’ with the email subject ‘Urgent letter from WHO: First human COVID-19 vaccine test/result update’ with a malicious document attached.
The document contained the infamous Agent Tesla malware, a password stealing program that comes with a key logger for hackers to gather usernames and passwords from a victim’s device. Victims who clicked on the file ended up downloading the malware.
In addition, Check Point researchers found two examples of extortion emails allegedly sent by the United Nations (UN) and WHO that requested for funds to be sent to compromised bitcoin wallets.
Zoom-like fake domain registrations
In the last 3 weeks, around 2,449 new Zoom-related domains were registered, in which 1.5% were malicious (32) and 13% suspicious (320). Since January 2020 to date, a total of 6,576 Zoom-like domains have been registered globally. This means that nearly 37% of Zoom-related domains were registered in the last 3 weeks alone, since the advent of coronavirus pandemic.
Both Microsoft Teams and Google Meet are also being used to lure people into traps. Recently, many victims fell prey to phishing emails that came with the subject ‘You’ve been added to a team in Microsoft Teams’. The emails contained a malicious URL and victims ended up downloading malware when clicking on the ‘Open Microsoft Teams’ icon that led to this URL.
Researchers also found fake Google Meets domains which were first registered on April 27, 2020. The link did not lead victims to an actual Google website.
Coronavirus-related domain registrations
In the past three weeks, almost 20,000 (19,749) new Coronavirus-related domains were registered, of which 2% of these domains are malicious (354) and another 15% are deemed suspicious (2,961). Since the beginning of the outbreak, a total of 90,284 new Coronavirus-related domains have been registered globally.
Hackers have gone into over-drive to take advantage of the Coronavirus pandemic"
Check Point’s Manager of Data Research, Omer Dembinsky said, “We’ve noticed a change in criminals’ tactics over the last three weeks. Hackers have gone into over-drive to take advantage of the Coronavirus pandemic. If you unpack these latest cyberattacks, the theme of impersonation is a clear and strong one, especially using the WHO, the UN and Zoom as a cover for phishing”.
Omer adds, “For example, the number of Zoom-like domain registrations in the past three weeks alone is staggering. More than ever, it is important to beware of lookalike domains and to be extra cautious of unknown email senders.”
Themes and trends of Coronavirus-related domain registrations
As researchers analysed the new Coronavirus-related domains registered, they observed that the domains reflected the chronology of different stages of the pandemic outbreak.
- At the beginning of the outbreak, domains related to live maps (tracking geographic areas that saw a rise in coronavirus cases) were very common, as well as domains related to coronavirus symptoms.
- Towards the end of March, the focus shifted to relief packages and stimulus payments due to the economic plans executed by several countries.
- Post March, domains related to life after the coronavirus became more common, as well as domains about a possible second wave of the virus.
- Along the entire pandemic timeframe, domains related to tests kits and vaccines remain very common, with slight increases as time goes on.
To stay safe, Check Point recommends the following guidelines:
- Beware of lookalike domains. Watch for spelling errors in emails or websites, and unfamiliar email senders.
- Beware of unknown senders. Be cautious with files received via email from unknown senders, especially if they prompt for a certain action one would not usually do.
- Use authentic sources. Ensure you are ordering goods from an authentic source. One way to do this is to NOT click on promotional links in emails, and instead, Google one's desired retailer and click the link from the Google results page.
- Beware of ‘special’ offers. ‘An exclusive cure for Coronavirus for US$ 150’ is usually not a reliable or trustworthy purchase opportunity. At this point of time there is no cure for the coronavirus and even if there was, it definitely would not be offered to you via an email.
- Do not reuse passwords. Make sure one does not re-use passwords between different applications and accounts.