As the world comes to grips with the coronavirus pandemic, the situation has proven to be a blessing in disguise for threat actors, who’ve taken advantage of the opportunity to target victims with scams or malware campaigns.
Now, according to a new report published by Check Point Research, hackers are exploiting the COVID-19 outbreak to spread their own infections, including registering malicious Coronavirus-related domains and selling discounted off-the-shelf malware in the dark web.
“Special offers by different hackers promoting their ‘goods’ — usually malicious malware or exploit tools — are being sold over the darknet under special offers with ‘COVID19’ or ‘coronavirus’ as discount codes, targeting wannabe cyber-attackers,” the cybersecurity firm said.
COVID-19 Discounts: Exploit Tools for Sale
The report comes following an uptick in the number of malicious coronavirus-related domains that have been registered since the start of January.
“In the past three weeks alone (since the end of February 2020), we have noticed a huge increase in the number of domains registered — the average number of new domains is almost 10 times more than the average number found in previous weeks,” the researchers said. “0.8 percent of these domains were found to be malicious (93 websites), and another 19 percent were found to be suspicious (more than 2,200 websites).”
Some of the tools available for purchase at a discounted price include “WinDefender bypass” and “Build to bypass email and chrome security.”
Another hacking group, which goes by the moniker “SSHacker,” is offering the service of hacking into Facebook account for a 15 percent discount with “COVID-19” promo code.
What’s more, a seller that goes by the name of “True Mac” is selling a 2019 MacBook Air model for a mere $390 as a “corona special offer.” It goes without saying the offer is a scam.
A Long List of Coronavirus-Themed Attacks
The latest development adds to a long list of cyberattacks against hospitals and testing centers, phishing campaigns that distribute malware such as AZORuIt, Emotet, Nanocore RAT and TrickBot via malicious links and attachments, and execute malware and ransomware attacks that aim to profit off the global health concern.
- APT36, a Pakistani state-sponsored threat actor that targets the defense, embassies, and the government of India, was found running a spear-phishing campaign using Coronavirus-themed document baits that masqueraded as health advisories to deploy the Crimson Remote Administration Tool (RAT) onto target systems.
- Researchers from security firm IssueMakersLab uncovered a malware campaign launched by North Korean hackers that used boobytrapped documents detailing South Korea’s response to the COVID-19 epidemic as a lure to drop BabyShark malware. Recorded Future observed, “at least three cases where reference to COVID-19 has been leveraged by possible nation-state actors.”
- A COVID-19-themed malspam campaign targeted the manufacturing, industrial, finance, transportation, pharmaceutical, and cosmetic industries via Microsoft Word documents that exploits a two-and-a-half-year-old Microsoft Office bug in Equation Editor to install AZORult malware. The AZORult info stealer has also been distributed using a fraudulent version of the Johns Hopkins Coronavirus Map in the form of a malicious executable.
- A fake real-time coronavirus tracking Android app, called “COVID19 Tracker,” was found to abuse user permissions to change the phone’s lock screen password and install CovidLock ransomware in return for a $100 bitcoin ransom.
- Another phishing attack, uncovered by Abnormal Security, targeted students and university staff with bogus emails in a bid to steal their Office 365 credentials by redirecting unsuspecting victims to a fake Office 365 login page.
- Comment spamming attacks on websites that contained links to a seemingly innocuous coronavirus information website but redirected users to dubious drug-selling businesses.
- Aside from malware-laden spam emails, F-Secure researchers have observed a new spam campaign that aims to capitalize on the widespread mask shortage to trick recipients into paying for masks, only to send them nothing.
Staying Secure in the Time of COVID-19
It’s amply clear that these attacks exploit coronavirus fears and people’s hunger for information about the outbreak. Given the impact on the security of businesses and individuals alike, it’s essential to avoid falling victim to online scams and practice good digital hygiene:
- Businesses should ensure that secure remote access technologies are in place and configured correctly, including the use of multi-factor authentication, so that employees can conduct business just as securely from home.
- Individuals should keep away from using unauthorized personal devices for work, and ensure “personal devices will need to have the same level of security as a company-owned device, and you will also need to consider the privacy implications of employee-owned devices connecting to a business network.”
- Watch out for emails and files received from unknown senders. Most importantly, check a sender’s email address for authenticity, don’t open unknown attachments or click on suspicious links, and avoid emails that ask them to share sensitive data such as account passwords or bank information.
- Use trusted sources, such as legitimate government websites — for up-to-date, fact-based information about COVID-19.
Lakshmanan, Ravie. (18 March 2020). Hackers Created Thousands of Coronavirus (COVID-19) Related Sites As Bait. The Hacker News.