Coronavirus-related cyberattacks surge to 192,000 in one week

Attacks include malicious websites and files, all exploiting the COVID-19 pandemic, says Check Point Research.

Scammers exploiting stimulus payments with phishing attacks and malicious domains
6:07

As the coronavirus outbreak has expanded around the world so too have cyberattacks designed to take advantage of the disease. Cybercriminals have been creating phishing emails, suspicious websites, downloadable apps and files, and other malicious content all geared toward trapping people curious or anxious about the pandemic. A blog post published Tuesday by cyber threat intelligence provider Check Point Research illustrates the rise of certain types of coronavirus-related cyberattacks.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Over the past three weeks, Check Point found 192,000 coronavirus-related cyberattacks per week, a 30% surge compared with the previous weeks. These cyberattacks encompass malicious websites with the word "corona" or "covid" in the domain name, files with "corona" in their name, and files attached to coronavirus-related phishing emails.

Among phishing emails, one common type of campaign impersonates known organizations such as the World Health Organization. In one case analyzed by Check Point, the attackers sent malicious emails that spoofed the WHO's actual domain of "who.int." The email's subject tried to lure victims by promising: "Urgent letter from WHO: First human COVID-19 vaccine test/result update." But anyone who clicked on the file attachment named "xerox_scan_covid-19_urgent information letter.xlxs.exe" was infected with the AgentTesla malware.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)

Check Point also discovered two types of extortion emails purportedly sent from the WHO and the United Nations asking people to donate to COVID-19 funds. Any money sent in response is deposited in several compromised bitcoin wallets and into the waiting hands of cybercriminals. Other recent phishing emails spoof such companies as Zoom, Microsoft, and Google, all in an attempt to exploit interest around the coronavirus.

covid-phishing-who-check-point.jpg

Image: Check Point Research

At the same time, there's been a surge in registrations for coronavirus-related websites. Over the past three weeks, almost 20,000 new domains of this type were registered, with 17% of them identified as malicious or suspicious.

With more people working from home, cybercriminals are using fake Zoom domains to serve as landing pages for their phishing attacks. Since January of this year, 6,576 Zoom-related domains have been registered. Over the past three weeks, around 2,500 such domains were registered, with 1.5% of them identified as malicious and 13% seen as suspicious.

Microsoft Teams is also being impersonated for malicious campaigns. One phishing attack used the subject line of "You have been added to a team in Microsoft Teams." Clicking on the link contained in the email brought users to a landing page with an icon to "Open Microsoft Teams." Clicking on that icon then downloads malware. Similarly, Google Meet has been exploited with a fake domain called Googelmeets\.com registered on April 27, 2020.

covid-phishing-microsoft-teams-check-point.jpg

Image: Check Point Research

As the pandemic has expanded and changed since the start of the year, cybercriminals have modified their tactics. At the beginning of the outbreak, attackers focused on malicious domains related to live tracking maps and virus symptoms. Around the end of March, the topic turned to relief packages and stimulus payments. As some countries have begun to ease quarantine restrictions, domains have sprung up to capitalize on such areas as life after the coronavirus and a potential second wave of the virus. Domains related to test kits and vaccines have been common since the start, with some increases along the way.

To protect yourself and your organization against coronavirus-related malware, Check Point offers the following tips:

  • Be suspicious of any email or communication from a familiar brand or organization that asks you to click on a link or open an attached document, no matter how official it appears to be.
  • Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
  • Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.
  • Ensure you are ordering goods from an authentic source. One way to do this is to NOT click on promotional links in emails. Instead, search for your desired retailer and click the link from the search results page.
  • Beware of "special" offers. "An exclusive cure for coronavirus for $150" is not a reliable or trustworthy purchase opportunity. There is no cure for the coronavirus, and even if there was, it definitely would not be offered to you via an email.
  • Make sure you do not reuse passwords¬†between different applications and accounts.

Also see

Computer Screen - Coronavirus

Image: pxel66, Getty Images/iStockphoto