Threat Intelligence Briefing: Surging Spam and Impersonation Attacks Drive Increasing Coronavirus Cyber Threats
 

We shared our analysis in Mimecast’s Global Cyber Threat Intelligence weekly briefing on April 14, 2020, the fourth in a continuing series of interactive web sessions designed to help customers and the general public stay cyber-safe as the broader coronavirus pandemic continues to create turmoil worldwide.

100 Days of Coronavirus Scams

The global spread of the coronavirus has created many new opportunities for threat actors in the roughly 100 days since the virus began gathering widespread attention at the end of 2019. To provide a clear picture of how malicious actors are exploiting those opportunities, Mimecast Global Cyber Threat Intelligence analyzed key trends in activity over that period.

The analysis shows that overall threat activity has increased significantly, rising 33.5% from January to April 2020. During that time, malicious actors shifted tactics to focus largely on high-volume spam and impersonation attacks. These tactics enable attackers to target large numbers of potential victims with the least possible effort, at a time when an unprecedented combination of risk factors makes people particularly vulnerable. That vulnerability is illustrated by the fact that users are clicking on many more unsafe links: the number of clicks on blocked URLs increased more than 55%.

Attackers are “making hay while the sun shines—it is a once-in-a-lifetime opportunity for them. Absolutely any way they can defraud people and take advantage of this crisis is taking place,” said Carl Wearn, Head of Risk & Resilience, E-Crime & Cyber Investigation, Mimecast.

“The circumstances create an almost perfect storm,” Wearn added. “The uncertainty, the chaos and the need for information all lead to increased unsafe clicks.”  

Mimecast analysis showed a significant increase in overall threat activity from January onward. Though new malware has continued to appear during the 100-day period, the greatest volume of attacks shifted to impersonation and spam. A significant and sustained increase in impersonation attacks began in late January, and spam increased significantly in late February, with peaks of activity seen in March, Wearn said. Overall, coronavirus-related spam has accounted for roughly 10% to 15% of all blocked spam over the past few weeks.

Here is the breakdown of threat volume detected by Mimecast from January to April during the coronavirus:  

• 26.3% increase in spam
• 30.3% increase in impersonation attacks
• 35.16% increase in malware
• 55.8% increase in clicks on blocked URLs

Spam is First Stage in Credential-Harvesting Attacks

Many of the attacks use spam as a phishing technique to engage users and ultimately get them to enter their credentials on a fake website, said Thom Bailey, Sr. Director, Product/Strategy at Mimecast. “The move to spam is in nearly all instances part of a layered approach, where credential harvesting tends to be the favored attack metric at the moment,” he said. Attackers may be able to use stolen credentials to gain access to users’ finances or email accounts, particularly because people often reuse the same credentials for multiple accounts.

Wearn said that Mimecast is seeing an increasingly nuanced variety of tactics, from rudimentary spam to highly sophisticated deceptive messages and websites. “They range from the simplest, badly spelled spam emails to really complex and genuine-appearing emails from official organizations,” he said. Some spam uses outrageous subjects to grab users’ attention and get them to click. Traditional fraudsters are also using spam to offer fake or non-existent goods such as protective masks or COVID-19 cures.

New Attacks Offer Fake Airline Ticket Refunds and Fake Government Payouts

Attackers continuously monitor the latest coronavirus-related government and business developments and adjust their tactics to take advantage of them. Wearn highlighted two recent exploits that prey on users’ financial concerns with fake offers of money if they enter the credentials for their financial accounts.

One of these attacks purports to be from the U.K. government, informing users that they are entitled to a tax refund because of the impact of the coronavirus pandemic and resulting financial crisis. Users are asked to enter credentials in order to get those funds. In fact, attackers aim to use those credentials to achieve exactly the opposite effect. “It’s a standard approach: click on this, give us your credentials and we will drain your bank account,” Wearn said.  

Another attack aims to take advantage of people who have had to cancel flights for planned summer vacations and stand to lose the hundreds or thousands of dollars they spent on airline tickets. The attackers spoof various airline websites, promising users that if they enter their financial account details they’ll get a refund. “Actually, you won’t get any money—they’ll take money from you,” Wearn said.  

Increase in Unsafe Clicks is Linked to Working at Home

The number of unsafe clicks has increased sharply in recent weeks—suggesting that it is related to the fact that more people have begun working at home due to the public health crisis, including government-imposed lockdowns, Wearn said. “We have seen a horrendous rise in unsafe URL clicks, which I do believe is impacted by lockdown and isolation,” he said.  

People may be more vulnerable because they’re working from home, where there can be more distractions, and because of their overall level of coronavirus-related stress. One problem is that everyone is looking for information about coronavirus, which makes them more likely to click. “It is quite chaotic: the situation is changing rapidly in regard to lockdowns and social distancing measures, and people want information about it,” Wearn said.

Staying Safe While Working at Home

Many people who are working at home may never have done so before, and so they may not be sufficiently aware of the cyber-threats and what they need to do to create a secure working environment. The rise in unsafe clicks suggests that there’s an urgent need to reiterate basic principles of cybersecurity hygiene, Wearn said. That includes providing advice about how to secure the entire home network and all devices, including any IoT devices.

If organizations don’t take steps to refresh user awareness, unsafe behavior is likely to become an even bigger problem.

Mimecast’s security recommendations for home users include:

• Update the security of the home wi-fi network by using strong passwords. Make sure the firewall is active.
• Update personal contact information to help with verification. Use multifactor authentication wherever possible.
• Never click on COVID-19 related attachments received outside the trusted network perimeter.
• Double check URLs and other links, and don’t click if they look suspicious.
• Only update usernames and passwords on trusted sites.

How to Handle Genuine COVID Emails

Some of Mimecast’s customers have asked how they can ensure they receive legitimate COVID-19-related emails without opening the floodgates to spam. The short answer: don’t switch off or change email quarantine settings, because the benefits they provide by reducing risk far outweigh the negative impact of a short delay in receiving messages. DMARC technology can also be employed to identify and block emails from spoofed domains.

The Bottom Line

Increases in coronavirus-related spam and impersonation attack campaigns are exploiting the vulnerability of users working at home, taking advantage of their desire for information about the coronavirus pandemic to entice them to click on unsafe links. It’s vital to take steps to refresh user awareness and help them create a secure working environment at home.

To help, Mimecast provides frequently updated security information and advice at our coronavirus response center. This includes real-time information about evolving cyber threats, how to better support employees working remotely, and other resources to help you and your organization.

We plan to continue holding regular threat intelligence briefings to help you maintain the security of your organization and your employees. You can help us shape those briefings to make sure they’re most valuable to you. Please let us know what topics you’d like us to cover during the briefings.