Check Point, a cybersecurity solutions provider, has recorded 192,000 cases of coronavirus-related attacks per week over the past two weeks. This is 30% higher compared to previous weeks. All attacks were related to the theme of coronavirus and were carried out from fake domains that mimic the sites of international organizations, as well as the site of the Zoom platform.
Hackers often resort to using the name of the World Health Organization (WHO) to carry out their attacks. So, recently cybercriminals carried out phishing mailing on behalf of WHO using the domain “who.int”. In order to attract the victim’s attention, the scammers indicated in the subject line: “Urgent letter from WHO: test results for the first vaccine from COVID-19. A file with the name “Xerox_scan_covid-19_urgent information letter.xlxs.exe” was attached to the letter. When it was downloaded, Agent Tesla malware was automatically installed, which using a keylogger stole passwords from user devices.
Also, Check Point researchers found phishing emails in which on behalf of the UN and WHO, attackers asked to send money to Bitcoin wallets.
Over the past three weeks, about 2,449 new Zoom domains have been registered, 1.5% of which are malicious (32), 13% are suspicious (320). Since January 2020, a total of 6576 domains simulating the Zoom platform have been registered worldwide, of which 37% were in the last three weeks after the announcement of the coronavirus pandemic.
Attackers also often use the names of the popular Microsoft Teams and Google Meet services to deceive people. Recently, users have received phishing emails with the subject line: “You have been added to a team in Microsoft Teams”. By clicking on the “Open Microsoft Teams” icon, victims clicked on an infected link, downloading malware onto their device. The official Microsoft Teams link looks very different: https://teams.microsoft.com/l/team.
In addition, Check Point researchers discovered fake Google Meets domains. For example, Googelmeets.com, which was registered on April 27, 2020.
Over the past three weeks, 19,749 new domains related to the theme of coronavirus have been registered, of which 2% are malicious (354) and another 15% are suspicious (2961). Since the outbreak began, a total of 90,284 new domains associated with COVID-19 have been registered worldwide.
Check Point researchers have identified a correlation between the occurrence of fake domains and the stages of outbreaks.
At the beginning of a pandemic, domains often contained live maps that tracked the spread of the virus across different regions. Sites describing the symptoms of coronavirus were also popular. Towards the end of March, attention was focused on various types of assistance and payments, which were carried out in several countries.
Then, domains associated with life after the coronavirus, as well as domains informing about the second wave of the epidemic, became widespread. Throughout the pandemic period, the domains associated with tests and vaccines remain an unquenchable trend for attackers. Their total number continues to grow.
Experts advise to beware of domains that are similar to various popular sites, pay attention to spelling errors in emails or on websites.
You need to be careful with the files received by e-mail from unknown senders, especially if you need to perform any actions when opening them (follow the link or open the attachment to the letter).
When placing an order, you must make sure that you are using the official website. Do not click on the links in emails. Instead, find the site you want on your own using the search engine you use.
Beware of “special offers.” Make sure that you use different passwords for each application and each account, experts advise.