Microsoft’s Threat Protection Intelligence Team has published a report providing a detailed look into the proliferation of COVID-19-themed phishing over the past several months. The researchers found that the timing of these attacks was often correlated with local news stories, the better to capitalize on peoples’ fears when tensions were highest.
In the UK, for example, COVID-19-themed phishing attacks peaked when the US announced a travel ban to Europe. The country saw another spike in these attacks when Prime Minister Boris Johnson was moved to intensive care, but the attacks leveled off after Johnson was discharged from the hospital. South Korea saw a similar trend, with COVID-19 phishing peaking in May amid fears of a second wave of cases.
“Malware campaigns, attack infrastructure, and phishing attacks all showed signs of this opportunistic behavior,” the researchers write. “These shifts were typical of the global threat landscape, but what was peculiar in this case was how the global nature and universal impact of the crisis made the cybercriminal’s work easier. They preyed on our concern, confusion, and desire for resolution.”
Interestingly, the researchers present a graph showing that the global spike in COVID-19-themed phishing lures is “barely a blip” when viewed against the total number of phishing attempts during the same period. This indicates that cybercriminals continued operating as normal throughout the crisis, but modified some of their lures to exploit current events. The researchers explain that this strategy is consistent with how cybercriminals have always functioned.
“Cybercriminals are adaptable and always looking for the best and easiest ways to gain new victims,” the researchers write. “Commodity malware attacks, in particular, are looking for the biggest risk-versus-reward payouts. The industry sometimes focuses heavily on advanced attacks that exploit zero-day vulnerabilities, but every day the bigger risk for more people is being tricked into running unknown programs or Trojanized documents. Likewise, defenders adapt and drive up the cost of successful attacks. Starting in April, we observed defenders greatly increasing phishing awareness and training for their enterprises, raising the cost and complexity barrier for cybercriminals targeting their employees. These dynamics behave very much like economic models if you turn ‘sellers’ to ‘cybercriminals’ and ‘customers’ to ‘victims.’”
Microsoft concludes that organizations should invest in cross-domain signal analysis, patch management, and user education to ensure all their bases are covered. Attackers will always be shifting their tactics to overcome new security measures. New-school security awareness training can help your employees stay informed about the evolving threat landscape.