Threat Intelligence

    Threat Intelligence Briefing: Skyrocketing Coronavirus Cyber Attacks

    We’re continuing to see an unprecedented level of malicious activity as the COVID-19 pandemic unfolds, with threat actors shifting their focus to prey on the latest evolving anxieties of people who are working at home or self-isolating due to help stop the spread of the disease.

    by Meni Farjon

    Key Points

    In this week's Cyber Threat Intelligence Briefing, Mimecast's Threat Intelligence panel discussed: 

    • Mimecast has seen a massive increase in coronavirus-themed spoofed websites, in addition to very high spam email volume.
    • Malicious actors continue shifting their focus to prey on users’ latest fears, with fake websites and emails offering financial assistance and infection-tracking information.
    • New malware includes Android-based ransomware.
    • These latest threats have spurred cooperation within the security community to help make the world a more resilient place.

    Mimecast has detected a massive spike in spoofed coronavirus-related websites in addition to a continuing flood of coronavirus-themed spam email and new malware, including a new type of Android ransomware. Attackers are attempting to deceive users with fake offers of financial assistance, coronavirus tests and infection-tracking information.    

    We shared the latest developments in Mimecast’s Global Cyber Threat Intelligence weekly briefing on March 31, 2020, the second in an ongoing series of interactive web sessions designed to help customers and the general public stay cyber safe as the greater coronavirus pandemic unfolds.

    Good news: The magnitude of the threat is spurring a new level of cooperation within the security community, including coordination between Mimecast and its competitors to make the world a more resilient place. “This is a global problem and we are addressing it globally—coordinating with what others in the industry see and also with governments,” said Michael Madon, Mimecast SVP & GM, Security Awareness and Threat Intelligence. “That’s something that I think is a positive outcome from this: Seeing the security community rally together to protect ourselves and the broader global community from those who would exploit our vulnerabilities and weaknesses.”  

    Netflix Impersonators Target People Staying Home

    As more people are forced to stay home, malicious actors see an opportunity to target people who may have few recreational options other than watching TV. In just two days, Mimecast found more than 500 suspicious domains impersonating Netflix (an example of one is set forth below) as well as other websites impersonating Disney+, Amazon Prime Video, and YouTube TV.

    Threat Intelligence Webinar: Netflix email scam screenshot

    Some of these impersonators entice users with the offer of “free” Netflix subscriptions, with the specific goal of harvesting the user’s credentials, including user names and passwords. “Unfortunately, people often use the same usernames and/or passwords across different sites—so it is possible that they would use the same credentials for business or personal logins,” explained Thom Bailey, Sr. Director, Product/Strategy at Mimecast.  

    Spoofed Websites Prey on Pandemic Anxiety

    Many spoofed websites attempt to deceive users by focusing on current concerns, including coronavirus testing, COVID-19 cures, and tracking the spread of infections. “Over the last few weeks, we’ve seen a massive increase in the number of coronavirus-themed spoofed websites,” said Kiri Addison, Mimecast Head of Data Science for Threat Intelligence and Overwatch. Mimecast has recently detected more than 60,000 spoofed coronavirus-related websites, including:  

    • 302 websites selling home test kits—something many people are searching for in light of the uncertainty;
    • 44 websites suggesting a COVID-19 cure;
    • Countless attempts to impersonate the Centers for Disease Control and Prevention (CDC) and World Health Organization (WHO)—two of the main official sources that people turn to for coronavirus information; and
    • Fake donation web pages that exploit people’s generosity by pretending to request money for COVID-19 victims

    Email Campaigns Focus on People’s Financial Concerns

    The volume of coronavirus-themed spam email remains extremely high, as in previous weeks. COVID-19 themed spam accounted for up to roughly 15% of all blocked spam, with similar trends seen across all regions.  

    But as the coronavirus pandemic evolves, those email campaigns are adjusting their focus to target users’ latest fears. While earlier campaigns impersonated Chinese medical experts sharing information about symptoms, or governments responding to the crisis, now more campaigns are focusing on people’s financial concerns as unemployment and economic uncertainty rise to record levels.

    The latest wave includes email campaigns offering loans, prizes, or government grants, Addison said. The scams are often made more compelling by the use of official-looking websites or logos. “You’ll see very slick-looking websites or emails,” she said. “We recently saw an impersonation of a well-known UK bank, offering to help people by giving them thousands of pounds in credit on their credit card.” A link in the email led to a realistic-looking web page that asked users to enter their credit card details.

    Fake Coronavirus Websites Conceal Malicious Payloads

    Some spoof websites attempt to trick users into downloading trojans or other malware by mimicking the most widely used and authoritative sources of coronavirus information. Those sources include the Johns Hopkins University Coronavirus Resource Center, which has become one of the most popular websites for mapping and tracking cases of COVID-19 across the world. Malicious actors are “preying on people’s anxieties, worries and confusion,” says Dr. Francis Gaffney, Mimecast Director of Threat Intelligence. “People want to know if others in their area have been identified as having coronavirus.”

    A link on one social media platform takes users to a spoof web page that is almost identical to the Johns Hopkins site but contains a known trojan, AzorUlt, that is installed on the user’s system. The trojan includes spyware and a key-logger, also harvesting end user credentials.

    New Android-based Ransomware Spreads Rapidly  

    Other rising threats include a new coronavirus-themed Android ransomware called CovidLock. A fake coronavirus infection-mapping web page encourages visitors to download a mobile “Coronavirus tracker” app, promising that the app will enable them to identify whether people in their immediate vicinity have been infected with the virus. In reality, users are downloading software that initiates a ransomware exploit.

    As I demonstrated during the briefing, once the app has been downloaded to an Android device it makes several requests in order to gain control of the phone, then encrypts the user’s information. Besides rendering the phone unusable, the ransomware threatens to send the owner’s videos and pictures to their contacts unless a ransom is paid within 48 hours. Fortunately, the ransomware authors embedded the key required to decrypt the phone within the malware itself. As a result, the security community was able to quickly find and share the key: 4865083501.

    Anyone who is infected by ransomware should check to see whether such information is available before paying a ransom, Madon said. “Before anyone pays, they should certainly take a tactical pause and see if the decryption code is out there,” he said. The new ransomware also underlines the importance of regularly backing up the data on each device. If your phone’s contents are backed up to the cloud, then “even if they shut off your phone, the things you care about most are safe,” he said.  

    Best Practices for Protecting Remote Workers

    With more and more people working from home, Mimecast is continuing to provide updated security information, including free videos and information that security professional can share with employees to help boost security awareness. Here are some of the top security tips for remote workers:

    • Be suspicious of emails, phone calls, or messages from people you do not know, trying to get your attention by providing updates about the virus.
    • Always type URLs yourself. Hackers are creating sites that look like official healthcare institutions and online retailers. Navigate directly to official websites such as CDC.gov.
    • Use strong and unique passwords for all your accounts, including your in-home Wi-Fi.
    • Don’t connect to networks you don’t recognize. If your company has a virtual private network (VPN), make sure you use it.

    In addition to communicating best practices to all employees, companies should also consider a more personal touch—identifying the most-targeted users in the company, engaging and educating them so that they can become an extension of the cybersecurity team, said Josh Douglas, Mimecast Vice President of Product Management.

    The Bottom Line

    As the COVID-19 pandemic evolves, malicious actors are adjusting their focus to prey on people’s latest fears and concerns. Many of the latest threats target people who are self-isolating, working remotely or worrying about their finances because they are unemployed or feeling the impacts of the current related financial crisis. In addition to the high volume of spam email, Mimecast has detected a massive spike in spoofed coronavirus-related websites, some of which can infect Android devices with ransomware.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top