There may be one thing growing and mutating faster than the novel coronavirus itself: human hackers’ attempts to use the pandemic as an opportunity to spread their own viruses and ransomware.
Cloud security company Zscaler reported a 30,000% increase in COVID-19-themed attacks since January — and in the company’s words, no, that’s not a typo. Zscaler saw coronavirus-themed attacks grow from around 1,200 observed and blocked COVID-19-related attacks in January to 380,000 such incidents in March.
“Bad actors love to take advantage of major news and events, popular brands, the hottest games—anything trending around the world—to give their malware a better chance of success. And, sadly, they are not above preying on peoples’ fears and uncertainty, which explains the explosion in attacks and scams related to COVID-19,” wrote Deepen Desai, VP of security research at Zscaler, in a blog post on the company’s data.
Telework has risen abruptly due to stay-at-home orders, and cybercriminals are trying to take advantage of the disruption. Zscaler reported an 85% increase in phishing attacks targeted at remote enterprise users. Some examples included spear-phishing emails that target users by appearing to come from corporate IT departments or payroll departments, perhaps asking the user to follow a link and log in to a fake “corporate VPN” site.
Registrations of suspicious domain names has surged, which commonly include COVID-related key words such as test, mask, Wuhan and kit, according to Zscaler. There was a spike of nearly 97,000 such domain registrations in late March.
On the consumer side, Desai wrote, “we saw malicious emails asking for personal information as a way to help individuals get their government stimulus money, and we saw those soliciting donations for COVID-19-based causes. In many cases, these sites are designed to trick the user into providing personal information or corporate credentials.” Government agencies have been warning consumers about federal relief fund scams since mid-March, and the coronavirus is being referenced in fraudulent, illegal robocalls as well as the increasing cyberattack activity.
The need for a hasty pivot to more online services is proving to be a fertile ground for cybercriminals. As more consumers turn to online shopping, including ordering from local grocery stores, Zscaler also reported finding “skimmer” code designed to capture payment and personal information on healthcare, pharmacy and grocery store sites. “Several new websites (especially local grocery shops) have been quickly put together during this pandemic to support online orders. Unfortunately, not all of them are set up in a secure manner, which has resulted in some of these sites becoming compromised and injected with skimmer code,” Desai wrote.
In a separate recent report, cybersecurity company Trustwave found that attacks from Magecart — a frequent culprit in skimmer incidents — had risen to around 6% of its investigations last year, compared to zero instances four years ago. Trustwave said that cybercriminals have switched from targeting retail point-of-sale terminals because of the implementation of chip technology that makes them more secure; now they are targeting online storefronts instead.
Mobile users are being impacted as well, though it’s less common. Zscaler cited one malicious website that presented itself as a site for downloading a coronavirus tracking app for Android, but which actually turned out to be ransomware. An SMS Trojan enticed users to download it in order to receive a “corona safety mask,” but instead collected the user’s contacts and sent texts with links to all of them in an attempt to further spread itself.
There’s even an old-fashioned Nigerian prince scam with a COVID-19 twist, with an email circulating that purports to be from an “American doctor” who is caring for a wealthy Chinese businessman/politician who is very sick with COVID-19. The doctor claims to need help to get the patient’s money out of China before he dies and the money gets into the wrong hands, including the government, according to Zscaler.
In addition to the currently circulating scams and viruses, the company warned that “There is a growing security concern that once the pandemic is over, there will be thousands of machines physically returning to the corporate network after being on unsecured home networks for months. If any of these machines became compromised, they can offer attackers a beachhead into the corporate networks—which is exactly how many large-scale breaches get their start.”