Phishing in The Time of Pandemic

Phishing in The Time of Pandemic

Introduction

The pandemic has put people on alert. Google Trends indicates the searches for COVID-19-related keywords has been increasing dramatically during the past few months. Numerous news and discussions have emerged on social media regarding how threat actors capitalize on people’s fear of the pandemic[1].

Cyber security researchers have been using newly registered domains (NRDs) as an indicator to study the emerging threat of cyber attacks. Organizations such as Cyberthreat Coalition have been releasing blocklists of NRDs containing COVID-19-related keywords.[2]

Since February 2020, we have seen reports that COVID-19 has been adopted as a novel theme in phishing attacks.[3] [4] Reports have shown that, much like the Google Search Trends of pandemic keywords, the number of COVID-19-related NRDs also experienced a surge in the past two months (see Figure 1). While the NRDs’ increase is easy to notice, it is challenging to understand how much of these NRDs were converted to novel phishing campaigns.

Figure 1. Google Search Trend for COVID-19 related keywords in the past 12 month.

We had 3 goals of our research:

Task 1: Analyze COVID-19-related NRDs.

  • Research question: How “useful” are those feeds? How good are they as an indicator of emerging threats?

Task 2: Find novel phishing campaigns targeting the COVID-19 theme.

  • Research question: Have attackers adjusted web phishing to exploit the pandemic? Are there COVID-19-specific targets?

Task 3: Analyze all “in-the-wild” phishing campaigns.

  • Research question: Bar COVID-19, what does the phishing threat landscape look like during pandemic time in hard numbers?

Throughout this blog post, we will try to answer the indicated questions.

COVID-19 NRD Feeds

Organizations such as Cyberthreat Coalition and PhishLabs are providing data feeds for COVID-19-related NRDs. These feeds are important as they form a first line of defense when researchers do not have time and resources to look at the potentially new phishing threats.

We have collected in total 6,200 NRDs feeds from three different organizations – Cyberthreat Coalition, PhishLabs, and Cybersecurity and Infrastructure Security Agency (CISA). All of these NRDs are verified by their providers that they are related to COVID-19. We analyzed these feeds to evaluate their efficiency as blacklists. Specifically, we would like to understand how many of these NRDs could form an actual threat to the Internet and how many are simply reserved domains waiting for content to fill in.

We went through these URLs and put them into one of three categories – Non-active domain, phishing domain, and others (see Figure 2). The biggest category is the non-active domains. These are domains that depict a white page of error message or a default placeholder from the host provider or domain registrar (for example, see Figure 3). Such domains may have been registered for malicious purposes but were either taken down or never put into action.

Figure 2. Distribution of NRDs collected from third party feeds.
Figure 3. Non-active domain “coronavirusvictims.info”.

The second biggest category, which accounts for 13.5% of all the NRDs we analyzed, is domains that sit in the “gray” zone. These are domains that lead to a website selling essential goods of the pandemic (see Figure 4), or suspicious cures of the coronavirus. They are not 100% benign as many of them sit in the boundary of retailing and scam, but surely they are not part of a phishing campaign.

Figure 4. Web page of a small retailer site selling face masks.

Actual phishing domains account for only 2.4% in these NRDs. And to our surprise, many of these phishing domains carry the same content that we have been aware of long before the pandemic. Very few of them lead to novel phishing campaigns that exploit coronavirus fears.

Phishing in Pandemic Times

Due to the large amount of noise in NRD feeds, we could not extract useful information about actual phishing activities. We tracked all URLs reported by our telemetry that contain a COVID-19 keyword and clustered them based on image similarity. From these clusters of URLs, we can easily identify which ones are useful to our research – such as pages containing a login form – and which ones are not.

After analysis we identified three main group of malicious web pages containing COVID-19-related keywords:

  1. Regular phishing websites that existed before the pandemic started, but the “look” was updated to reflect changes in web sites they imitate. For example, a lot of banks added disclaimers and notifications related to COVID-19 on websites. So by taking the latest “look” of legitimate websites, phishing websites also start to contain COVID-19 related keywords. It is important to note that in this case the keywords are not carrying any special goal, but merely appear on phishing websites because they exist on legitimate ones they’re mimicking.
  2. Regular phishing websites that use COVID-19 related keywords in the URLs as clickbait. The content of the website is not related to COVID-19 and it is still imitating the same legitimate website as before the pandemic, but they use keywords in the URL to catch attention.
  3. Novel phishing websites which were specifically designed to imitate COVID-19 related content. Examples of such websites are phishing pages targeting the World Health Organization (WHO) or the Canada Revenue Agency landing page for COVID-19 related loan programs.

Novel Covid-19 themed campaigns

Number of URLs found from 2020-02-03 to 2020-05-04: 795

To focus on the unseen phishing campaigns, we removed all clusters of URLs associated with regular phishing campaigns that we have been monitoring since before the pandemic started. We also took out common phishing pages that have a COVID-19 disclaimer but do not use the COVID-19 theme as a phishing lure – while they do indicate attackers are adapting, they do not provide any value in terms of understanding what potentially new phishing campaigns are being developed.

Figure 5. Covid-19-themed phishing campaigns: February to May 2020.

Out of nearly 300,000 phishing URLs, we were able to identify four (4) phishing campaigns with content specifically crafted to use the COVID-19 theme (see Figure 5). The numbers are unexpectedly low as compared to the most popular regular phishing campaigns observed during the same time frame (see section below).

From February 3rd to May 4th, we observed only 795 URLs from the novel COVID-19 phishing campaigns. The number of URLs detected as novel COVID-19 phishing reached a peak during the second week of April. But this did not last long – overall, COVID-19-themed phishing web pages are disappearing quickly, from 291 URLs in the week of April 6th to only 17 URLs in the week of May 4th.

Figures 6 and 7 show examples of such campaigns: WHO and Canada Revenue Agency are the targets.

Figure 6. Phishing page targeting WHO.
Figure 7. Phishing page targeting Canada Revenue Agency.

Covid-19 keywords as clickbait in phishing campaigns

Number of URLs found from Feb 3, 2020 to May 4, 2020: 1,272

To bait users to click a certain URL, attackers can include COVID-19-related keywords in any part of the URL. Therefore it is not enough to understand the threat landscape by just looking at NRDs. We extracted all URLs that contained COVID-19 keywords from our telemetry, and kept all those that were found malicious at the time of analysis. The result surprisingly coincided with what we found in the analysis of NRD feeds. As plotted in Figure 8, very few URLs that contained COVID-19 keywords were actually used in a phishing campaign.

Figure 8. Overall Phishing URLs vs. Malicious “COVID” URLs: February to May 2020.

Similar to the trend observed in novel COVID-19 phishing campaigns, the number of COVID-19 clickbaits reached its climax during the second week of April and quickly declined (see Figure 9).

Figure 9. Malicious URLs with COVID0-19 related keywords: February to May 2020.

Overall phishing campaigns

Number of URLs found from Feb 3, 2020 to May 4, 2020: 245,059

Overall, we found 245,059 phishing URLs from February to May. In terms of size, regular phishing campaigns are larger than the novel COVID-19 phishing by two orders of magnitude. The growth rate of overall phishing campaigns also differs a lot from the novel COVID-19 phishing campaigns. We plotted the 10 most popular phishing campaigns as well as the overall number in Figure 10. The numbers have been steadily increasing since early March and peaked in early April. Although some major phishing campaigns see a slight decline in the number after April 6th, the overall number did not drop significantly.

Figure 10. Overall phishing campaigns, including cumulative total for the top 10 and the volume of each individual campaign: February to May 2020.

We also extracted the distribution of URLs among the 40 most popular phishing targets from February to May 2020 (see Figure 11). As expected, the majority of these targets showed no direct connection with COVID-19, and have been monitored by us as popular phishing targets from before the pandemic. It is clear that COVID-19 did not dramatically change how attackers choose their targets.

Figure 11. Number of unique URLs detected from February to May 2020 for the 40 most popular phishing targets.

While the novel COVID-19 phishing campaigns are much smaller in size than the regular ones, both indicated a sudden increase in volume from late March to early April. This could indicate that while attackers show little interest in developing new campaigns using the COVID-19 theme, they increased their push behind existing campaigns (for example, see Figures 12 and 13), which are spreading much faster than before thanks to the pandemic.

Figure 12. Phishing page targeting Chase bank.
Figure 13. Phishing page targeting Bank of America.

Conclusion

Using the NRD feeds might be a good way to understand the trend of emerging threats and quickly deploy a first line of defense. However, these NRD feeds are not efficient indicators of phishing campaigns. Specifically, they do not explain the conversion rate from NRD to actual phishing websites.

While attackers exploit the fears surrounding COVID-19, there is not enough evidence suggesting that new phishing campaigns were developed as fast as COVID-19-related domains were registered. As indicated by our analysis of COVID-19 themed phishing, very few novel campaigns surrounding COVID-19 have been developed and put in the wild. The novel campaigns are proportionally smaller than their regular counterparts and are much more short-lived.

In the meantime, existing phishing campaigns are taking the opportunity to expand. The total number of phishing URLs has been steadily increasing during the time of pandemic. As of early May the overall number had doubled since February. This could indicate that while attackers showed less interest in developing new phishing campaigns, they did grasp the pandemic as an opportunity to push existing campaigns harder than before.


[1] https://twitter.com/search?q=COVID%20phishing&src=typed_query
[2] https://www.cyberthreatcoalition.org/blocklist
[3] https://info.phishlabs.com/blog/covid-phishing-update-campaigns-addressing-a-cure
[4] https://threatpost.com/top-email-protections-fail-covid-19-phishing/154329/

Rongxuan Liu

Rongxuan Liu

Rongxuan is a software engineer from the Anti-Malware Group at Lastline. At Lastline, Rongxuan designs and develops systems that detect malicious webpages, phishing URLs, and malicious JavaScripts. Prior to Lastline, Rongxuan studied at Northeastern University Khoury College of Computer Sciences where he graduated with a master's degree.
Rongxuan Liu

Latest posts by Rongxuan Liu (see all)

Tobias Jarmuzek

Tobias Jarmuzek

Tobias Jarmuzek is a software engineer for Lastline’s anti-malware group, focusing on the detection of web threats. Before his more than four years at Lastline, Tobias worked as a research assistant at the SecLab at the University of California, Santa Barbara. and as the chair of IT-Security at RWTH Aachen University where he graduated with a master’s degree.
Tobias Jarmuzek

Latest posts by Tobias Jarmuzek (see all)

Roman Vasilenko

Roman Vasilenko

Roman Vasilenko leads engineering for Lastline’s anti-malware group which is responsible for the development of AI-based threat analysis and detection, including a next-generation Automated Malware Analysis system that incorporates the benefits of a full-system emulator and a hypervisor.Prior to Lastline, Roman was a Senior Research Developer at Kaspersky Lab where he designed and developed advanced algorithms for malware detection.Roman has also been a Senior Lecturer at Saint Petersburg State University, Department of Mathematics & Mechanics where he taught malware research.Roman holds a Masters in Information Security from the National Research University of Information Technologies, Mechanics and Optics.
Roman Vasilenko

Latest posts by Roman Vasilenko (see all)