Check Point
Researchers document 192,000 coronavirus related cyber attacks a week, citing
impersonations of WHO, UN and Zoom
·
More than a
third (37%) of Zoom-like Domains were registered in the last three weeks alone,
since advent of Coronavirus pandemic
·
Hackers
impersonate WHO to spread password stealing malware
·
Theme of “Corona
Cure” has largest number of domain registrations, compared to other themes:
post corona, corona crisis and corona relief payments
In
the past two weeks, Check Point researchers documented 192,000
coronavirus-related cyber attacks a week, marking a 30% increase when compared
to previous weeks. As researchers unpack that number, they cite a key
observation: impersonations.
Hackers Impersonate WHO and UN
The
World Health Organization (WHO) is a popular name hackers impersonate.
Recently, cyber criminals sent malicious emails posing as the WHO from the domain
“http://who.int” with the email
subject “Urgent letter from WHO: First human COVID-19 vaccine test/result
update” to lure victims into a trap. The emails contained a file named “xerox_scan_covid-19_urgent
information letter.xlxs.exe” that contained the infamous Agent Tesla
malware, a password stealing program that comes with a key logger for hackers
to gather usernames and passwords from a victim’s device. Victims who clicked
on the file ended up downloading the malware.
In
addition, Check Point researchers found two examples of extortion emails
allegedly sent by the United Nations (UN) and WHO that requested for funds to
be sent into bitcoin wallets, as seen below:
Zoom-like Domains Registrations Heighten
In
the last 3 weeks, around 2,449 new Zoom-related domains were registered, in
which 1.5% of these domains are malicious (32) and 13% are suspicious (320).
Since January 2020 to date, a total of 6,576 Zoom-like domains have been
registered globally. If you do the math, this means that nearly 37% of
Zoom-related domains were registered in the last 3 weeks alone, since the
advent of coronavirus pandemic.
Hackers Impersonate Microsoft Teams and Google Meets
Both
Microsoft Teams and Google Meet are also being used to lure people into traps.
Recently, victims fell prey to phishing emails that came with the subject “You
have been added to a team in Microsoft Teams“. The emails contained a malicious
URL, http://login\.microsoftonline. com-common-oauth2-eezylnrb\. medyacam\.com/common/oauth2/, and victims ended up downloading malware when
clicking on the “Open Microsoft Teams” icon that led to this URL. The
actual link for Microsoft Teams is “https://teams.microsoft.com/ l/team”.
Researchers also found fake Google Meets domains like
“Googelmeets\.com”, which was first registered on April 27, 2020. The link did
not lead victims to an actual Google website.
Coronavirus-related Domain Registrations Heighten
In
the past three weeks, almost 20,000 (19,749) new coronavirus-related domains
were registered, of which 2% of these domains are malicious (354) and another
15% are deemed suspicious (2,961).
Since the beginning of the outbreak, a total of
90,284 new coronavirus-related domains have been registered globally.
The Themes and Trends of Coronavirus-related Domain Registrations
As
researchers analyzed the new coronavirus-related domains registered, they
observed that the domains reflected the chronology of different stages of the
pandemic outbreak.
1. At the beginning of the outbreak, domains related to
live maps (tracking geographic areas that saw a rise in coronavirus cases) were
very common, as well as domains related to coronavirus symptoms.
2. Towards the end of March, the focus shifted to relief
packages and stimulus payments due to the economic plans executed by several
countries.
3. Then, domains related to life after the coronavirus
became more common, as well as domains about a possible second wave of the
virus.
4. Along the entire pandemic timeframe, domains related
to tests kits and vaccines remain very common, with slight increases as time
goes on.
Check Point’s Manager of Data Intelligence, Omer Dembinsky:
“We’ve
noticed a change in the last three weeks. Hackers have gone into over-drive to
take advantage of the coronavirus pandemic. If you unpack these latest cyber
attacks, the theme of impersonation is a clear and strong one, especially
around the WHO, the UN and Zoom. For example, the number of Zoom-like domain
registrations in the past three weeks alone is staggering. More than ever, it
is important to beware of lookalike domains and to be extra caution of unknown
senders.”
How to Stay Protected
To
stay safe, Check Point outlines the following guidelines:
1. Beware of lookalike domains. Watch for spelling errors in emails or
websites, and unfamiliar email senders.
2. Beware of unknown senders. Be cautious with files received via email from
unknown senders, especially if they prompt for a certain action you would not
usually do.
3. Use authentic sources. Ensure you are ordering goods from an authentic
source. One way to do this is to NOT click on promotional links in emails, and
instead, Google your desired retailer and click the link from the Google
results page.
4. Beware of “special” offers. “An exclusive cure for coronavirus for $150” is
usually not a reliable or trustworthy purchase opportunity. At this point of
time there is no cure for the coronavirus and even if there was, it definitely
would not be offered to you via an email.
5. Do not reuse passwords. Make sure you do not reuse passwords between
different applications and accounts.