COVID-19: The Cybercrime Gold Rush of 2020

This post is also available in: 日本語 (Japanese)

If you told me at the start of 2020 that for the first time in the history of cybersecurity, we’d see every industry and every type of device across the globe targeted by attacks based around a single theme, I wouldn’t have believed you. If you told me this theme would hinge on exploiting a global pandemic and attackers would target even medical researchers on the front lines trying to stop this disease, I wouldn’t have believed that either. Yet, here we are, and our reality indeed includes a cybercrime gold rush aimed at taking advantage of COVID-19.

Just last week, the United Kingdom’s National Cyber Security Centre, Canada’s Communications Security Establishment and the United States National Security Agency issued a joint advisory detailing how Cozy Bear (APT29) were employed by the Russian government to target organizations involved in COVID-19 vaccine development within those three countries. 

The researchers on the Unit 42 threat intelligence team at Palo Alto Networks are closely tracking a plethora of COVID-19-themed cyber attacks that have emerged around the world over the past few months. Since the beginning of this year, we’ve identified more than 40,000 newly registered websites, using a coronavirus-related name, which we’d classify as “high-risk” sites due to the scams and malware being pushed onto unsuspecting consumers. 

The global impact of the COVID-19 pandemic, coupled with a lack of trust in the government and media as reliable sources of information, has ultimately created a perfect storm for cybercriminals to have greater success. People are constantly looking for new sources of supplies and information, and cybercriminals have taken the opportunity to exploit this. 

 

Why It Matters

Attackers have honed in on the opportunity around people searching for COVID-19 updates and shopping for essential goods online by creating profit-motivated attacks

We’ve found:

  • Scam sites offering items like face masks and hand sanitizer for low prices.
  • Fake COVID-19 ebooks, promising new “tips” on how to stay safe. In actuality, these sites deliver no product after the purchase is completed and instead, just steal both the money and all the personal and financial information uploaded to the site. 
  • Evidence that suggests cybercriminals are also creating fail-safe websites that are currently dormant, waiting to be quickly spun up when another scam site of theirs is taken down.
  • Cybercriminals using cloud service providers (such as Amazon, Google, Microsoft and Alibaba) to host some of these malicious sites because when threats originate from the cloud, it can be easier to evade detection by misusing a cloud provider’s resources. (Thanks to the rigorous screening and monitoring processes employed by these cloud providers, and likely due to the higher costs with using them, it’s been relatively rare so far for malicious actors to host malicious domains in public clouds.)

We’ve also uncovered – and blocked – a wide variety of cyber threats globally that are recklessly targeting government healthcare agencies, local and regional governments, and large universities that are dealing with the critical response efforts of the COVID-19 pandemic. Regions impacted include the US, Canada, Germany, Turkey, Korea and Japan. 

While it’s not surprising that cybercriminals are seizing this opportunity to exploit the pandemic for their personal gain, it’s clear the criminals who profit from cybercrime are going to any extent to succeed and are in it for the long haul.

We’re continuing to monitor and protect against these threats, but it’s important to note that these shifts in behavior highlight that cybercriminals are investing time and resources to bolster their attacks.

 

Looking Ahead

With COVID-19 cases continuing to rise in certain countries, and a second wave of the virus anticipated to hit later this year, we’ll continue to see evolving themes from attackers related to news of the pandemic. For example, toward the end of June, we picked up malicious emails with the subject “Supplier-Face Mask/Forehead Thermometer” and “Supply medical mask, protective glasses and temperature gun.” These are both topics that are more related to preparing for and returning to going out into the world, rather than staying home. I expect this evolving trend will continue based on the news and business priorities. 

Additionally, we also anticipate that the U.S. will likely be targeted more by attackers compared to countries that no longer have COVID-19 causing an impact on daily life (such as New Zealand).

We also expect to see a spike in cybercrime as economies go into recessions. With unemployment numbers around the world dramatically growing, some people will inevitably turn to cybercrime, as typically happens in economic downturns.

Lastly, given that more of the workforce is now working remotely from home, we anticipate an increase in attackers targeting home routers and other Internet of Things (IoT) devices to compromise home networks.

These devices are already frequently targeted, especially since 98% of all IoT device traffic is unencrypted, exposing personal and confidential data on the network and allowing attackers the ability to listen to unencrypted network traffic and collect personal or confidential information. While we don’t have the data to show this is currently happening, a very likely scenario of the next step for attackers would be to shift their focus on home routers to do more than just mine for cryptocurrency or launch DDoS attacks, as they have in the past. With more employees working from home and no longer being protected by an enterprise security tool and corporate firewall, attackers may begin trying to steal sensitive corporate data that they couldn’t typically access as easily before. Consumers should make sure that their physical router isn’t using the default password that comes with the router (often just “Admin”). They also should update it to the latest firmware version. Too often, consumers create a password for only their wireless network and do not realize that the physical device also needs to have a unique password. 

Here are our recommended tips for consumers and businesses to stay safe during this time:

Consumers:

  • Be wary of websites offering “too-good-to-be-true” deals on COVID-19 essentials, like face masks and hand sanitizer.
  • Treat all emails and websites purporting to offer information about COVID-19 as suspicious.
  • To ensure you’re not the victim of a phishing attack, always check for the three main indicators, shown in Figure 1 below: correct domain name, the presence of the padlock and valid certificate ownership.

Avoid becoming a victim of the cybercrime gold rush by taking three actions to check the validity of websites, as shown here: 1) Verify if domain name is correct, 2) Look for padlock, 3) Validate certificate ownership

  • If you believe your credit card information was stolen as a result of a recent online purchase, you should contact your bank to freeze or change your card immediately. 
  • Consider putting a freeze on your credit, so that new accounts can’t be opened up using your personal information.
  • Make sure your home router has a physical password in addition to your Wi-Fi password. If you don’t know how to do this, visit your device manufacturer’s site to find their step-by-step instructions. 

Businesses:

  • Run a Best Practice Assessment to identify where your configuration could be altered to improve your security posture.
  • Use PAN-DB URL Filtering to block “Newly-Registered Domains”, which contains domains registered in the last 32 days.
  • If you cannot block access to the Newly Registered Domains category, then our recommendation would be to enforce SSL decryption to these URLs for increased visibility and to block users from downloading risky file types such as PowerShells and executables.
  • You can also apply a much stricter Threat Prevention policy and increase logging when accessing Newly Registered Domains. We also recommend DNS-layer protection, as we know over 80% of malware uses DNS to establish C2.
  • eCommerce and online retailers can mitigate risks by patching all their systems, components and web plugins to avoid being compromised. 
  • Regularly conduct web content integrity checks offline to see if your pages were edited and had malicious JavaScript code inserted by attackers.
  • Make sure you’re using strong passwords on your content management system (CMS) administrators to make it less susceptible to brute force attacks.