Unsafe clicks from COVID-19-themed email phishing attacks nearly double in recent weeks; Mimecast blocks up to 5,000 URLs related to the Coronavirus a day—37x what we blocked in January.

Security professionals in organizations attempting to persevere through the global health crisis are dealing with a fast-growing influx of coronavirus email phishing attacks. Mimecast Threat Intelligence researchers confirm that the growth of Coronavirus-related phishing emails and malware is unprecedented.

Meanwhile, the Section Chief of the US Federal Bureau of Investigation’s Cyber Division pointed out another way cybercriminals are mimicking the spread of the deadly disease, showing a shift in diversity and method of attack. Herb Stapleton told CBS News that the FBI expects coronavirus phishing emails to focus geographically on companies in the hardest-hit regions of the USA: New York City, California and Washington state.[1]

FBI and NCSC Issue Coronavirus Phishing Email Alert

At roughly the same time, the FBI, the UK National Cyber Security Centre (NCSC) and other governments issued an alert about the alarming rise in phishing emails related to the pandemic. The FBI alert began by stating: “Scammers are leveraging the COVID-19 pandemic to steal your money, your personal information, or both. Don’t let them. Protect yourself and do your research before clicking on links purporting to provide information on the virus … “[2]

More specifically, the FBI warned people to “look out for phishing emails asking you to verify your personal information in order to receive an economic stimulus check from the government.” Despite widespread media reports about talk of such checks among Washington, DC, politicians, the government is sending no such emails, the FBI said. Last week, Cyber Resilience Insights reported Mimecast Threat Intelligence’s analysis of how coronavirus phishing attacks are rapidly evolving to exploit whatever news is causing people the most fear and uncertainty at any moment—a strategy to lure more victims (see “Beware of Fast-Evolving Coronavirus Email Phishing Attacks”).

Data Shows Rising Threat of COVID-19 Phishing Attacks & Malware

Now, Mimecast Threat Intelligence reports that the company’s email security systems prevented delivery of nearly 24 million suspected coronavirus phishing emails in the week leading up to (and including) March 23. That was a hair more than 16% of the more than 150 million emails scanned by Mimecast during the period.

COVID-19 phishing attacks represent a similar percentage of all the spam detected during the five-day work week ending last Friday (March 20): 15%, globally. But coronavirus phishing emails appear to be a much higher percentage of all spam in the US—often double the rate in the UK, for example, on a given day. It hit 20% of spam on March 18 and 22% on March 20.

 Covid TI Webinar Spam graph.png

Perhaps more worrisome: recent weeks have seen an almost doubling of unsafe clicks on email links, even though the volume of clicks, overall, has been relatively steady. In this, the UK had the dubious distinction of beating out the US: unsafe clicks peaked last week above 160,000 in the UK but barely reached 100,000 in the US, according to Mimecast Threat Intelligence data.

Where do all those email phishing clicks lead? Mimecast has seen a 234% increase in daily registrations of new coronavirus-related web domains and sub-domains from March 9 to March 20, to more than 6,100 per day. While some of the 60,000+ sites registered so far are legitimate, most are not.

Naturally, there has been a commensurate surge in the number of pages containing references to coronavirus or COVID-19 that are being blocked by Mimecast. It rose to 5,000 per day last week—more than 28 times the number blocked a month earlier and 37 times the number blocked in January. For more data on the rise of coronavirus email and malware, see our recap of the first Global Cyber Threat Intelligence Weekly Briefing, which took place on Tuesday, March 24, 2020.

“These are really all the same old attacks—nothing very new. It’s just a different lure,” noted Steven Sarkisian, Mimecast’s Global Manager-Messaging Security. “The coronavirus is a new email phishing lure that end users are emotional about, not thinking about, and not yet aware of. There’s a user awareness message that enterprise security professionals should be repetitively putting out there to their user communities,” Sarkisian added. 

Identifying Coronavirus Indicators of Compromise

Mimecast Threat Intelligence has identified more than a dozen IOCs for prominent coronavirus phishing attacks, including the usual number of email subject lines, domains, IP addresses and SHA-256 hash functions (associated with attachments), according to Dr. Kiri Addison, Head of Data Science for Threat Intelligence and Overwatch at Mimecast.

Addison identified these as email subject line IOCs for coronavirus email phishing scams:

  • “CORONA Virus Update on our Premises ID”
  • “Coronavirus Sensitive Matter”
  • “COVID-19 update”
  • “COVID info #” 
  • “Covid_19 medical support”
  • “COVID_19 Designated Free Testing Centres in your Locality”
  • “COVID-19 alert id”

Roundup of Selected Coronavirus Email Phishing Scams—Week 2

Here is a selection of COVID-19-related email phishing scams observed last week by Mimecast’s Threat Intelligence team:

  • Help us pay you: This phishing email, with the subject line “Booking PAYMENT,” appears to be coming from a specific company’s accounts payable department promising to send a delayed payment as soon as you correct your company information—which requires you to click on an attachment.
  • For remote workers: This one appeared last Friday, looking like it comes from your human resources department: “Due to increasing risk and outbreak of Corona virus, (sic) everyone is expected to enroll in the Remote Operation Policy for selection/approval of employee’s (sic) that will begin to work from home if there is no decline in infection rate by the end of this month.” The link takes you to the page pictured below, and then to the accompanying login form—both of which look legitimate, until you do a close read of the text.


Example screenshot of remote work email phishing attackExample screenshot of remote work HR email phishing attack

  • COVID-19 policy update: With the subject line “All Staffs: Mandatory Corona Update,” this email scam directs you to login to OneDrive to review “Important company policies regarding Covid-19 (sic) Virus.” If you do, the bad guys get your login credentials.
  • Virus update: It looks like an email from a concerned company’s “Health HelpDesk” offering a link to the CDC’s website to help you “identify how this epidemic could affect your organization.” But it doesn’t go to the real Centers for Disease Control and Prevention, of course. (At least they used “affect” correctly.)

Last week’s roundup appears at the end of “Beware of Fast-Evolving Coronavirus Email Phishing Attacks.”

[1]Amid "significant spike" in coronavirus scams, FBI anticipates criminals will target Washington state, California and New York,” CBS News

[2]FBI Sees Rise in Fraud Schemes Related to the Coronavirus (COVID-19) Pandemic,” FBI

 

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Beware of Quickly-Evolving Coronavirus Email Phishing Attacks

Cyber criminals continually morph COVID-…

Cyber criminals continually morph COVID-19 phishing scams to… Read More >

Mike Azzara

by Mike Azzara

Contributing Writer

Posted Mar 19, 2020

Cyber Awareness: Top 3 Steps to Combat Cyber Disruption, Chaos and Pro…

By now, COVID-19, or coronavirus, has l…

By now, COVID-19, or coronavirus, has likely dominated conv… Read More >

Renatta Siewert

by Renatta Siewert

Senior Security Writer

Posted Mar 13, 2020

Threat Intelligence Briefing: Cybercriminals Weaponizing Keywords in C…

Coronavirus Phishing Attacks and Domain …

Coronavirus Phishing Attacks and Domain Registrations Increa… Read More >

Michael Madon

by Michael Madon

SVP & GM for Security Awareness and Threat Intelligence Products

Posted Mar 24, 2020