The total volume of phishing emails and other security threats relating to the Covid-19 coronavirus now represents the largest coalescing of cyber attack types around a single theme that has been seen in a long time, and possibly ever, according to Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.
To date, Proofpoint has observed attacks ranging from credential phishing, malicious attachments and links, business email compromise (BEC), fake landing pages, downloaders, spam, and malware and ransomware strains, all being tied to the rapidly spreading coronavirus.
“For more than five weeks, our threat research team has observed numerous Covid-19 malicious email campaigns, with many using fear to try to convince potential victims to click,” said DeGrippo.
“Criminals have sent waves of emails that have ranged from a dozen to over 200,000 at a time, and the number of campaigns is trending upwards. Initially, we were seeing about one campaign a day worldwide; we’re now observing three to four a day. This increase underscores just how appealing global news can be for cyber criminals.”
In the past week alone, a number of deeply concerning campaigns have emerged that appear to be targeting the critical healthcare, manufacturing and pharmaceutical industries. DeGrippo said she had observed a campaign originating from advanced persistent threat (APT) group TA505 – which was behind the Locky ransomware strain and the Dridex banking trojan – using coronavirus loads in a downloader campaign.
Downloaders are particularly dangerous threats because once they have been delivered and installed, they can download additional types of malware. The TA505 group is considered to be one of the more significant financially motivated threat actors currently operating.
Other campaigns targeting the healthcare sector include emails offering coronavirus cures or vaccines in exchange for bitcoin payment. Needless to say, this is a cover for a downloader, and once it is installed, victims will open themselves up for second-stage ransomware payloads.
Read more about Covid-19 and security
- With hundreds of thousands likely to be working remotely for some time, the UK’s NCSC has issued best practice guidance to enable security teams to support them.
- Endpoint protection platform service will be made free until 16 May 2020 to help protect remote workers during the Covid-19 coronavirus crisis.
- The UK’s National Cyber Security Centre has issued a public alert and fresh guidance as more cyber criminals get wise to the lucrative potential of Covid-19.
“The Covid-19 lures we’ve observed are truly social engineering at scale,” said DeGrippo. “They know people are looking for safety information and are more likely to click on potentially malicious links or download attachments.
“Approximately 70% of the emails Proofpoint’s threat team has uncovered deliver malware and a further 30% aim to steal the victim’s credentials. Most of these emails are trying to steal credentials using fake landing pages like Gmail or Office 365 and ask people to enter their username and password.”
Proofpoint said it was absolutely certain that cyber criminals will continue to leverage coronavirus as the crisis develops globally and warned that the widespread transition to remote working meant they would have a wider range of targets.
It said that in addition to using protecting virtual private networks (VPNs), home workers should stay particularly vigilant for malicious emails regarding remote access and fake websites aimed at ensnaring unsuspecting remote workers.