COVID-19-themed malware and phishing attacks over the course of the last four months since the pandemic took hold of the global consciousness to the exclusion of nearly everything else have essentially followed the peaks and valleys of the crisis itself, and have largely relied on existing infrastructure and previously seen malware tools, new data shows.
There have been countless individual spam, malware, and phishing campaigns since February that are tied in to the pandemic in one way or another, many of them using topics such as financial stimulus payments, vaccines, or testing programs as lures. The global nature of the pandemic has made it a concern for nearly everyone, something that is nearly unprecedented in the Internet era. That makes it a golden opportunity for cybercrime groups and they have not been shy about taking advantage of it, beginning in early January as the virus gained momentum in Asia and continuing ever since.
Data compiled by Microsoft from its defensive tools deployed around the world shows that attacks using COVID-19 as a hook began to accelerate quickly in early February when the World Health Organization named the virus and then peaked in early March, just after the first victim died in the United States. Among the early adopters of the pandemic as a theme in malware and phishing campaigns were the groups pushing the Lokibot and Emotet trojans, soon to be followed by the Trickbot actors. The attacks were first seen in China and the U.S., but quickly made their way around the globe.
“The rise in COVID-19 themed attacks closely mirrored the unfolding of the worldwide event. The point of contention was whether these attacks were new or repurposed threats. Looking through Microsoft’s broad threat intelligence on endpoints, email and data, identities, and apps, we concluded that this surge of COVID-19 themed attacks was really a repurposing from known attackers using existing infrastructure and malware with new lures,” Microsoft’s Threat Protection Intelligence Team said in a new analysis of the campaigns.
Although cybercrime groups were quick to exploit the pandemic for their own gain, the overall volume of COVID-themed malware and phishing attacks was relatively insignificant when compared to the total number of malware attacks. Cybercrime groups have the ability to change up their lures, targets, and payloads very quickly as circumstances dictate, but those changes typically are temporary.
“Malware campaigns, attack infrastructure, and phishing attacks all showed signs of this opportunistic behavior. As we documented previously, these cybercriminals even targeted key industries and individuals working to address the outbreak. These shifts were typical of the global threat landscape, but what was peculiar in this case was how the global nature and universal impact of the crisis made the cybercriminal’s work easier. They preyed on our concern, confusion, and desire for resolution,” Microsoft’s report says.
“After peaking in early March, COVID-19 themed attacks settled into a “new normal”. While these themed attacks are still higher than they were in early February and are likely to continue as long as COVID-19 persists, this pattern of changing lures prove to be outliers, and the vast majority of the threat landscape falls into typical phishing and identity compromise patterns.”
While the attacks using the pandemic as a lure have been worldwide, the specific methods of employing it have differed by country, as have the individual ups and downs of malware activity. In the U.S. there have been three separate peaks in activity, with the latest one coming in late May when the country passed 100,000 COVID-19 deaths just as some states began to loosen restrictions. Activity has fa;;en off significantly since then, though.