COVID-19-Themed Phishing Campaigns DiminishMicrosoft: Even at Peak, Pandemic Themes Used in Small Percentage of Fraud Campaigns
The surge in phishing campaigns and other types of fraud using COVID-19 themes has diminished in recent weeks, according to the Microsoft Threat Protection Intelligence Team, which asserts in a new report that such campaigns were never a dominant threat.
See Also: Splunk Security Predictions 2021
The Microsoft researchers found that despite the sudden and substantial increase in fraud campaigns that used the COVID-19 pandemic as a lure, these types of malicious campaigns accounted for only a small percentage of the overall threats observed over the last four months.
Analyzing online fraud trends since February, Microsoft researchers found that cybercriminals and fraudsters first started using COVID-19 as a theme in their malicious campaigns after the World Health Organization declared the outbreak as a global health emergency on Feb. 11.
These COVID-19 themed campaigns then saw an eleven-fold rise in the week following the WHO declaration. But such attacks still accounted for less than 2% of all cyberattacks Microsoft observed each month.
"Cybercriminals adapt their tactics to take advantage of local events that are more likely to lure victims to their schemes. Those lures change quickly and fluidly while the underlying malware threats remain," the Microsoft researchers note.
Correlation to Local News
As people around the world tried to learn more about the pandemic in February and March, fraudsters actively exploited the situation. The Microsoft report notes that COVID-19-themed attacks reached a peak globally in the first two weeks of March, coinciding with governments introducing travel restrictions and other measures to stop the spread of the virus.
Cybercriminals and fraudsters are always looking for new and easy ways to gain victims, and targeting key industries is typical of the global threat landscape, according to the report. Microsoft adds that "what was peculiar in this case was how the global nature and universal impact of the crisis made the cybercriminal’s work easier."
Fraudsters also took advantage of the situation by tailoring lures to the location of their targets, mimicking the developments in their area, according to the report (see: Phishing Campaigns Tied to Coronavirus Persist).
For example, the U.K. saw a rise in attacks around the time the nation reported its first death from the virus, then again when the Financial Times Stock Exchange 100 Index, or "Footsie," crashed on March 9. A third spike happened when the U.S. announced a travel ban to Europe, according to the report (see: US, UK Authorities Crack Down on Suspicious COVID-19 Domains).
U.K. attacks also rose considerably in the second week of April, when there was extensive media coverage on the pandemic, with Queen Elizabeth II making a rare televised address and Prime Minister Boris Johnson being treated in an intensive care unit after testing positive for COVID-19, Microsoft notes.
In the U.S., COVID-19 themed attacks rose at the end of February, coinciding with the first reported death due to the virus, and reached a peak in mid-March, at the time of the international travel ban, according to the report. Other campaigns saw a drop in volume as countries began to recover from the pandemic.
Malicious campaigns targeting citizens of the South Korea did not follow the global patterns, according to the report. Themed-attacks rose in early March, but instead of reducing as the country lifted restrictions, they seemed to increase, reaching a peak on May 23, the report notes.
Not Gone, Yet
The Microsoft report, however, says that these themed attacks are likely to continue as long as COVID-19 persists.
Sherrod DeGrippo, senior director of threat research and detection at security firm Proofpoint, tells Information Security Media Group that the company also has observed that fraudsters have decreased their use of COVID-19 themes over the last several weeks, shifting to other lures.
In campaigns that still leverage COVID-19, she says: "Threat actors are using more specific COVID-19 language around layoffs, furloughs and payouts to make their attacks tailored to current events."
Proofpoint found that fake landing pages attached to pandemic-themed phishing campaigns were heavily deployed in March, but the use of these landing pages began to drop off in April (see: Spoofed Website Templates Help Spread COVID-19 Scams: Report).
Managing Editor Scott Ferguson contributed to this report.