The COVID-19 pandemic has given cybercriminals a golden opportunity to make money. With the world focused on little else other than the response to the pandemic, and with people craving information about the virus, it is not surprising that standard phishing lures have been abandoned in favor of COVID-19 themed lures.
COVID-19 and coronavirus themed domains have been purchased in the tens of thousands and are being used for phishing, malware distribution, and a variety of scams such as obtaining donations to fake charities. Figures released by the Palo Alto Networks Unit 42 team for the period of February to March show there has been an average daily increase of new COVID-19 related domains of 656%, a 569% increase in the number of malicious COVID-19 domains, and a 788% increase in new high-risk domains.
Several domain registrars have started taking steps to combat coronavirus and COVID-19 related fraud and some, such as Namecheap, are now preventing the registration of new domains related to COVID-19. Domain registrars are flagging these new domains for investigation, but that is a manual review process that takes time. In the meantime, the domains are being set up and used for convincing scams.
One malicious campaign uncovered in the past few days uses COVID-19 themed domains to distribute the banking Trojan Grandoreiro. The websites are used to host videos that promise to provide important information about SARS-CoV-2 and COVID-19. When visitors click on the video, a file download is triggered and the user is required to run the installer to view the video content, but instead installs the banking Trojan. The banking Trojan has previously been delivered via spam email, but the threat group behind the malware have changed tactics in response to the pandemic and have changed to web-based delivery.
There have been many similar campaigns created using malicious COVID-19 domains to deliver a slew of malware variants such as keyloggers, information stealers, cryptocurrency miners, and other Trojans.
Lockdown has left people with a lot of time on their hands and outdoor activities have been swapped for more TV time. It is no surprise that movie piracy sites have seen a huge surge in traffic and malware distributors are taking advantage and are bundling malware with pirated video files and using fake movie torrents to deliver malware.
An investigation by Microsoft identified a campaign that uses a VBScript packaged into ZIP files that claim to be pirated movie files. The campaign was being conducted to deliver a coinminer that runs in the memory, with living-of-the-land binaries also used to download other malicious payloads.
These campaigns often have a phishing component, with emails sent to drive traffic to these malicious websites. An advanced spam filtering solution can help to block the email component of these campaigns, but businesses should also consider an additional layer to their security defenses to block the web-based component of these attacks and prevent their remote employees from visiting malicious COVID-19 domains. That protection can be provided by a DNS filtering solution such as WebTitan Cloud.
WebTitan Cloud filters out malicious websites at the DNS lookup stage of a web access request. When a user attempts to visit a website, instead of the standard DNS lookup to find the IP address of a website, the request is sent through WebTitan. If an attempt is made to visit a malicious domain, the request will be blocked and the user will be directed to a local block page. WebTitan can also be configured to block certain file downloads and filter the internet by category, such as blocking P2P file-sharing and torrents sites to provide additional protection against malware and the installation of shadow IT.
WebTitan Cloud can be quickly set up remotely by sysadmins to protect all workers on and off the network with no clients required, which makes it an ideal solution during the COVID-19 pandemic for protecting remote workers.
For further information on protecting your organization and remote employees from web-based attacks, to register for a free trial of WebTitan, and for details of pricing, give the TitanHQ team a call today.