Coronavirus: Cyber criminals may be changing tactics

The number of malicious domain name registrations related to the Covid-19 coronavirus pandemic has peaked and now appears to be levelling off, possibly heralding a shift in cyber criminal activity, according to new analysis from the Cyber Threat Coalition – a group of like-minded cyber security professionals who have come together to push back against criminals exploiting the crisis.

The number of high-risk coronavirus-linked domains exploded at the beginning of March, according to statistics gathered by researchers at DomainTools, hitting a high of just over 5,000 registered per day on or around 20 March. This spike was short-lived, and has now dropped back to remain steady at between 1,800 and 2,000 per day during the week beginning 13 April.

Writing on the group’s weekly threat advisory blog, coalition member Emily Austin, a data scientist at MailChimp, put forward a theory as to why this might be.

“The decline in domain registrations … coupled with consistency of attack types could indicate a shift in activity,” she wrote. “Now that attackers have established infrastructure and techniques, they may soon shift to heavier exploitation of footholds established through phishing and other scams.”

Currently, Austin reported, statistics gathered through a coalition-run community survey suggest that the most common type of cyber attack they have seen are simple coronavirus scams, reported by over 60%, followed by credential phishing attempts, seen by just under 50%, and malicious documents, just under 40%.

Ransomware incidents and other types of extortion were observed less frequently, reported by just over 10% and about 5%, respectively.

If the decline in domain name registrations is indeed an indicator of shifting trends, it would suggest it may become more likely that the incidence of targeted cyber attacks, including ransomware, will soon ramp up because the various coronavirus lures have done their job, and cyber criminals now have a large pool of potential victims.

Coalition member and researcher Martijn Grooten reported that a survey of 70 coalition volunteers had found that over 40% had seen an increase in threats against their organisations since the pandemic began, but he found widespread confidence among security professionals that existing security products and blocklists were actually proving quite effective against coronavirus-related threats.

The main concern among coalition members was still the transition to near-universal remote working, said Grooten. More than half said this had made them more vulnerable, although less than one-fifth said they had relaxed security policies at their company.

“The security community’s concern is understandable,” wrote Grooten. “Even before the pandemic, remote access tools, such as VPN solutions and Microsoft’s Remote Desktop Protocol, were a popular way for rogue actors to gain a foothold into an organisation network.

“Such methods were then often used for very damaging attacks. Remote access tools have to be configured and maintained to counteract critical vulnerabilities as they represent a potential weak spot in an organisation’s defences.”

As previously reported by Computer Weekly, the implementation of safe and secure remote working should be a priority for all organisations during the current crisis, and is relatively easy to accomplish.

Much of the established advice hinges on maintaining basic cyber security hygiene, applying security patches for VPNs, enabling and enforcing two-factor authentication, securing endpoints within reasonable boundaries and, critically, education and training, and encouraging a “no-blame” culture of internal cyber security that acknowledges that end-users will make mistakes, while empowering them to be candid about reporting errors.