In the last 2 weeks, there were some 192,000 documented coronavirus-related cyberattacks per week, a study by Check Point, global cybersecurity firm Check Point has indicated. Most of these attacks involved impersonation of organizations like WHO, UN and Zoom. The study showed that more than a third (37%) of Zoom-like domains were registered in the last 3 weeks alone, since the advent of the pandemic and hackers impersonated WHO to spread password stealing malware. Also, it was noticed that the theme ‘Corona Cure’ had the largest number of domain registrations and there were domain names like ‘post corona’, ‘corona crisis’ and ‘corona relief payments,’ the study has revealed.
The study brought out that cybercriminals had recently sent malicious emails posing as WHO from the domain ‘who.int’ with the email subject ‘Urgent letter from WHO: First human COVID-19 vaccine test/result update’ to lure victims into a trap. The emails contained a file named ‘xerox_scan_covid-19_urgent information letter.xlxs.exe’ that contained the infamous Agent Tesla malware, a password stealing program that comes with a key logger for hackers to gather usernames and passwords from a victim’s device. Victims who clicked on the file ended up downloading the malware.
There were extortion emails allegedly sent by the United Nations and WHO that requested for funds to be sent into bitcoin wallets.
The study points out to some 2500 new Zoom-related domains getting registered, in which 1.5% of these domains are malicious (32) and 13% are suspicious (320). “Since January 2020 to date, a total of 6,576 Zoom-like domains have been registered globally. If you do the math, this means that nearly 37% of Zoom-related domains were registered in the last 3 weeks alone, since the advent of coronavirus pandemic,” says the study.
The study reveals that recently people fell prey to phishing emails that came with the subject ‘You have been added to a team in Microsoft Teams’. The emails contained a malicious URL, http://login\.microsoftonline.com-common-oauth2-eezylnrb\.medyacam\.com/common/oauth2/, and victims ended up downloading malware when clicking on the ‘Open Microsoft Teams’ icon that led to this URL. The actual link for Microsoft Teams is ‘https://teams.microsoft.com/l/team’.
There were also fake Google Meets domains like ‘Googelmeets\.com’, which was firs/t registered on 27 April 2020. Obviously, the link did not lead victims to an actual Google website.
The study finds that in the past 3 weeks there were almost 20,000 new coronavirus-related domains were registered, of which 2% are malicious (354) and another 15% are deemed suspicious (2,961). Since the beginning of the outbreak, there were some 90,284 new coronavirus-related domains were registered globally.
An interesting feature the study brought out was the at the beginning of the outbreak, domains related to live maps (tracking geographic areas that saw a rise in coronavirus cases) as well as domains related to coronavirus symptoms. Then towards the end of March, the focus shifted to relief packages and stimulus payments due to the economic plans executed by several countries. Then, domains related to life after the coronavirus became more common, as well as domains about a possible second wave of the virus.
Along the entire pandemic timeframe, domains related to tests kits and vaccines remain very common, with slight increases as time goes on.
Check Point advises web users to adopt some of the following measures to stay safe on the net:
- Beware of lookalike domains. Watch for spelling errors in emails or websites, and unfamiliar email senders.
- Beware of unknown senders. Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.
- Use authentic sources. Ensure you are ordering goods from an authentic source. One way to do this is to NOT click on promotional links in emails, and instead, Google your desired retailer and click the link from the Google results page.
- Beware of “special” offers. “An exclusive cure for coronavirus for $150” is usually not a reliable or trustworthy purchase opportunity. At this point of time there is no cure for the coronavirus and even if there was, it definitely would not be offered to you via an email.
- Do not reuse passwords. Make sure you do not reuse passwords between different applications and accounts.
