Coronavirus phishing lures continue to dominate threat landscape

Overall cybercrime activity isn't necessarily going up amid COVID-19, experts say. However, coronavirus-themed emails are becoming the dominant form of phishing attacks.

The good news is, overall cybercrime isn't necessarily going up significantly amid the COVID-19 pandemic, experts say. The bad news is, coronavirus phishing attacks have become a dominant -- and effective -- threat.

"PhishLabs is not seeing a significant change in attack volumes. What PhishLabs has seen is that COVID-19 has become part of the lure, part of the social engineering mechanism of phishing attacks," PhishLabs founder and CTO John LaCour said. "We're seeing malware attacks, we're seeing credential phishing attacks, we're seeing advance fee fraud/419 scams, we're seeing ransomware, we're seeing all of those things that we see from time to time where attackers are leveraging coronavirus as part of the lure, part of the scam."

LaCour said the type of scams and attacks "run the gamut," not only between consumers and enterprise users, but also among the lures used to pull people in. For example, he pointed to one scam where a medical provider would be sent information about an "online conference" related to the latest coronavirus information.

In another example, in an campaign identified by IBM X-Force researchers, an email claims to be from WHO's Director-General Dr. Tedros Adhanom Ghebreyesus. The emails claim to share an update on the status of outbreak prevention as well as a potential cure, and they install an Agent Tesla malware variant through attached documents. IBM X-Force said it expects the attack to be "highly successful" under current circumstances.

"These emails are going to the general public and using more of a 'spray and pray' method. With this method, success for cybercriminals can be very low. Successfully infecting a few percent of the targets of a campaign this large can still turn into a payday of thousands," Ashkan Vila, a security analyst at IBM X-Force, told SearchSecurity over email.

Tim Bandos, vice president of cybersecurity at Digital Guardian, echoed LaCour's statements about overall cybercrime rates.

"We are definitely seeing a huge rise with phishing attacks in a COVID-19 theme being the primary aggressor," he said. "I wouldn't necessarily say [the total number of cyberattacks] has gone up. I do think the method by which they're carrying out these attacks is that they're leveraging this opportunity."

An effective lure

Vila said coronavirus phishing emails like the one highlighted by IBM X-Force can be much more effective than the average email threat. "The same email sent in a time without a global pandemic wouldn't be as successful," he said. "But given people's increasing fears of the matter, targets are less likely to be thinking rationally about the content of these emails which will lend to them more likely being more successful."

FireEye's Fred Plan, senior analyst of cyberespionage, said that the reason COVID-19 makes for such an effective lure in cybercrime is partially due to how it has become the dominating topic of conversation as well as cultural fear. However, he said, there are other reasons.

"On top of that high level of interest concerning COVID-19 developments, there's also a ton of misinformation and disinformation that's motivating individuals to seek out additional information," Plan explained. "There's also a growing skepticism of official figures and statements. A specific individual might not feel like it's above board or it's not quite right so this might increase this appetite at the individual level for more content, more sources of information than they might otherwise seek out."

Moreover, because the average American does not normally care about nor have interactions with the WHO or a CDC equivalent in, say, Italy, the fact that such organizations have come to the international forefront now make it easier for threat actors to pose as individuals from these organizations. It becomes harder to know what to look for, Plan said.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing