Analyst

Investigate | COVID-19 Cybercrime Weekly Update

At the request of our customers, March 9th, RiskIQ's team of trained intelligence analysts began compiling disparate data and intelligence related to COVID-19 into comprehensive reports. Each report combines major updates around COVID-19 and its impacts on cities, neighborhoods, schools, and businesses as well as essential cybercrime data that helps raise the situational awareness of both physical and cybersecurity teams.

Purpose

This intelligence will help inform the decisions of security teams, who face new requirements during these unprecedented times. Here, RiskIQ strives to provide the security community with a single source of factual reporting and informed analysis to help the security community discover unknowns about their environment and investigate threats.

6/18/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Weekly Report - 6/18

  • According to a new report from Microsoft, COVID-19-themed cyber attacks spiked to nearly a million a day during the first week of March. However, just a week later, they’d fallen off by around 30% and by April, attacks leveraging the COVID-19 crisis dropped below 100,000 per day. The report notes that pandemic-themed attacks have settled significantly, but are likely to continue as long as the virus persists.
  • A hacking group known as Vendetta has been posing as Taiwan’s top infection-disease official in an attempt to steal sensitive data from Taiwanese users. The hackers sent meticulously written spear phishing emails to a select group of targets, which may have included Taiwan’s Centers for Disease Control employees, urging recipients to get coronavirus tests. These emails contained a remote access hacking tool. Though new to the scene—Vendetta only surfaced in the last two months—the group is adept at impersonating authorities in multiple languages and have posed as agency officials in Australia, Austria, and Romania in attempts to install remote access tools on victim machines. Researchers believe they primarily target government and limited business intelligence.
  • Mass layoffs due to the COVID-19 pandemic have encouraged an exodus of corporate data. Insider threat firm Code42 claims it's seen a massive spike in exfiltrated data during this time. The sheer volume of pandemic-related layoffs poses a challenge to security professionals, often compacting a year or more of typical attrition into the space of a single day. Code42’s Joe Payne said his company has seen so much data moving following layoffs that it has had to adapt its technology to highlight particularly egregious behavior from more numerous and innocuous data transfers.
  • Public concern and confusion surrounding the COVID-19 pandemic offered an array of opportunities for scammers. A recent survey conducted by senior services company Provision Living showed that nearly a quarter of Americans have experienced an increase in robocalls since COVID-19 and 1 in 5 people have received a robocall about COVID-19. A separate survey from the legal charity Citizens Advice showed that nearly one-third of Britons have been contacted by scammers since the start of the coronavirus pandemic. The results also demonstrated that certain groups are at a higher risk of being targeted by COVID-19-related scams; 54% of people facing loss of income due to the pandemic and 45% of people with long-term illnesses or disabilities said they were recently targeted by scams.
  • One of the first national coronavirus contact-tracing apps launched in Europe has been suspended in Norway after the country’s data protection authority raised concerns that the software poses a disproportionate threat to user privacy by continuously uploading people’s location.
  • Similarly, Amnesty International is warning that contact-tracing apps worldwide are infringing on privacy, with Bahrain and Kuwait as the worst offenders. Bahrain’s BeAware Bahrain app has been sharing data with a national television show called Are you at Home? and participation was initially mandatory. According to Amnesty, both Bahrain’s app and Kuwait’s Shlonik app have been actively enabling live or near-live tracking of users’ locations by frequently uploading GPS coordinates to a central server.
  • U.S. lawmakers are promoting new bills in response to the huge spike in cyberattacks against the financial sector during the COVID-19. During a hearing on 16 June, U.S. House Financial Services subcommittee members proposed bills to help cut down on business email compromise (BEC) scams, require depository institutions (such as banks and credit unions) to develop guidance to educate customers on how to avoid financial scams, give funds to states to protect senior citizens from malicious hackers, and establish a restitution fund to help victims of coronavirus-related fraud. These proposals come on the heels of a measure introduced last week to move the Secret Service back to the Treasury Department to help address cyber financial fraud.

-----------

6/12/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Weekly Report - 6/12

  • IBM X-Force Incident Response and Intelligence Services uncovered a COVID-19 related phishing campaign targeting a German task force established to procure personal protective equipment. According to Security Intelligence reporting on 6/8/2020, the threat actors targeted more than 100 high ranking executives within this organization. Given the extensive targeting observed it’s likely that additional members of the task force could be targeted.
  • A senior US Secret Service official estimates $30 billion in stimulus funds will be stolen through COVID-19 scams. The official informed The Hill on 6/9/2020 that much of this theft is occurring online, such as through cybercriminals targeting Americans with malicious coronavirus-related phishing emails, or through targeting cyberattacks at the insecure networks of those working from home. The Secret Service has taken steps to counter these scams and has prevented around $1 billion from being lost to malicious actors.
  • The FBI on 6/10/2020 warned that malicious cyber actors were targeting mobile banking apps in an attempt to steal money as more Americans have moved to online banking during the coronavirus pandemic, according to The Hill reporting. In a public service announcement, the FBI noted it expects to see hackers “exploit” mobile banking platforms, which have seen a 50 percent surge in use since the beginning of the pandemic.
  • Similarly in the UK, business owners with Microsoft Office 365 accounts are being targeted in a phishing campaign that uses bait emails designed to look like legitimate Small Business Grants Fund (SGF) relief payment messages from the government. According to BleepingComputer reporting, these highly-targeted phishing attacks have so far delivered emails that have landed in the mailboxes of up to 5,000 potential victims.
  • Threat actors are distributing fake Android applications themed around official government COVID-19 contact tracing apps. Anomali Threat Research reported on 6/10/2020 that they identified multiple applications that contain malware, primarily Anubis and SpyNote, and other generic malware families. These apps, once installed on a device, are designed to download and install malware to monitor infected devices, and to steal banking information.
  • FortiGuard Labs has seen a substantial increase in viruses over the last quarter, with March seeing a 131 percent increase. According to ThreatPost reporting, many of these viruses are included in a related spike in malicious phishing attachments. While the attacks begin with phishing, the goal is to steal the end user’s personal information, or target businesses through their new teleworkers. Remote Desktop Protocol attacks are also on the rise which means that hackers are likely looking for hastily erected IT infrastructures intended to enable remote work.

-----------

6/5/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Weekly Report - 6/5

  • In an interview this week, Christopher Krebs, the director of the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), said that he expects to see “every intelligence service” attempt to target and steal COVID-19 research and data. This statement broadened the CISA and FBI joint warning last month about Chinese-backed hackers targeting U.S. organizations working to develop vaccines for the virus. Krebs added that “the Chinese have obviously been one of the more brazen in terms of their approach, but others are in the game, too...This is a very active space, very active space.”
  • Cybercriminals are taking advantage of the massive uptick in unemployment across the U.S. in a recent spear-phishing campaign which purports to be resumes sent from job-seekers but actually spreads banking credential-stealing malware. The emails attachments contain Zloader, a banking malware designed to steal credentials and other private information from users of targeted financial institutions. However, the malware can also steal passwords and cookies stored in the victim’s web browsers.
  • This week, the U.S. Cyberspace Solarium Commission issued a white paper on lessons learned about cybersecurity from the COVID-19 pandemic. The document points out similarities between a pandemic and a major cyberattack—most notably that prevention and pre-established relationships are cheaper and more effective than detection and response. Further, the paper adds new recommendations urging Congress to pass an Internet of Things law, calling for increased support to combat cybercrime and support victims, as well as increasing nongovernmental capacity to identify and counter foreign disinformation and influence campaigns.
  • Research conducted by Cybernews suggests an unprecedented amount of interest in hacking and cybercrime during the global pandemic. Their review of Google search trends indicates that during the months of March, April, and May, online searches related to hacking, scamming, and other forms of cybercrime skyrocketed. In addition, visits to popular hacker websites and forums increased by up to 66% in March.
  • Malicious actors are already spoofing legitimate contact tracing efforts in the UK. Although the UK’s National Health Service (NHS) created a web page detailing the legitimate contact tracing process, threat actors are finding the process quite easy to mimic. Following a positive COVID-19 result, actual contact tracers using the phone number 03000135000 will call or text individuals to request personal information and ask that they sign into an NHS contact-tracing website. Unfortunately, phone numbers are relatively easy to spoof and victims will have no way to tell the difference between a legitimate outreach and a malicious one.
  • Malwarebytes recently released a special edition of their quarterly Cybercrime Tactics and Techniques (CTNT) report focusing on coronavirus-themed attacks/lures. The report lists malware that has been associated with malicious COVID-19 cyber activity, to include AveMaria and DanaBot, and highlights the uptick in skimming, phishing, and other creative attack methods.

-----------

5/29/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Weekly Report - 5/29

  • Cybersecurity company INKY found that most of the malicious coronavirus emails were coming from US IP addresses, according to TechRepublic reporting on 5/27/2020. Dave Baggett, CEO of INKY, acknowledged that these IP addresses might be easily spoofed by more skilled attackers, but explained that there were a number of reasons most attackers would be in the US: "...[p]hishers prefer to target victims within their own geography because it's easier to research and impersonate since it's the same culture and language.”
  • Microsoft this week detailed a phishing effort that deploys emails that purport to be from the "John Hopkins Center" and includes an Excel attachment that presents itself as US cases of the disease. If opened, the file downloads a macro and runs NetSupport Manager RAT, a legitimate remote support tool that can be used for nefarious purposes.
  • Google said on Wednesday 5/27/2020 that its Threat Analysis Group saw new activity from “hack-for-hire” firms, many based in India, that have been creating Gmail accounts spoofing the World Health Organization (WHO). According to Reuters reporting, security experts at Google sent 1,755 warnings in April to users whose accounts were targets of government-backed attackers.
  • A new ransomware family called “[F]Unicorn” is masquerading as a COVID-19 contact tracing app targeting Italian users has been identified. According to Tripwire reporting on 05/27/2020, the attack emails leveraged typosquatting techniques to trick users into clicking on a download link for the advertised app.
  • Likewise, serious security vulnerabilities have been identified in Qatar’s mandatory contact tracing app, according to Amnesty International. An investigation by Amnesty’s Security Lab discovered the critical weakness in the configuration of Qatar’s EHTERAZ contact tracing app. Now fixed, the vulnerability would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status, and location data of more than one million users.
  • Cyber attackers are deploying highly-targeted operations that deliver malicious PowerShell scripts in images to steal employee credentials. According to BleepingComputer reporting on 5/29/2020, the technique is called steganography and in these incidents, the actors targeted industrial sector employees in multiple countries.
  • Cash-short state and local governments are pleading with Congress to send them funds to shore up their cybersecurity as hackers look to exploit the crisis by targeting overwhelmed government offices.

-----------

5/22/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Weekly Report - 5/22

  • A well-organized Nigerian crime ring is exploiting the COVID-19 crisis by committing large-scale fraud against multiple state unemployment insurance programs, with potential losses in the hundreds of millions of dollars, according to a new alert issued by the U.S. Secret Service. The official memo from the Secret Service warned that the ring has been filing unemployment claims in different states using Social Security Numbers and other personally identifiable information (PII), a substantial amount of which belong to first responders, government personnel, and school employees. This network believed to possess a substantial PII database to submit the applications and hundreds of “mules” to launder the proceeds.
  • NBC reports that four states, and possibly more, are warning unemployment applicants that their personal information may have been leaked. The first leak occurred in Arkansas after the state launched its online Pandemic Unemployment Assistance program on 5 May with a system developed by Arkansas company Protech. The second incident involved Deloitte, who was hired by CO, IL, and OH to develop their respective online pandemic-related unemployment systems. The exposed information included names, full social security numbers, banking details, addresses, number of dependents, and even (at least in Illinois) correspondence between the unemployment office and applicants.
  • Microsoft is warning of an ongoing COVID-19-themed phishing campaign that installs the NetSupport Manager remote administration tool. The massive campaign is spreading via malicious Excel attachments in emails pretending to be from the Johns Hopkins Center. The attachment contains macros that prompt the user to “Enable Content” and once clicked, will download and install the NetSupport Manager client. Though NetSupport Manager is a legitimate remote administration tool, it is commonly distributed among hacker communities to use as a remote access trojan. When installed, it allows a threat actor to gain complete control over the infected machine and execute commands on it remotely.
  • Despite achieving the world’s highest download rates for a contact-tracing application, Iceland’s Rakning C-19 does not appear to have helped the country in addressing COVID-19. Rakning was downloaded by 38% of the country’s population, but according to the Icelandic Police Service, the impact of the application has been small. Instead, Iceland attributes its success in managing COVID-19 to early and wide-scale testing as well as manual tracing such as phone calls.
  • Estonia has begun testing one of the world’s first digital immunity passports in a bid to restart its economy. The passports will allow citizens to show their coronavirus test results to third parties, like employers and restaurants, using a temporary QR code on their phone. The World Health Organization (WHO) has warned governments against issuing immunity passports given the lack of evidence that people who have recovered from COVID-19 have antibodies, and are protected from a second infection.
  • Campaign groups wrote the UK Prime Minister warning that UK’s Government Communications Headquarters (GCHQ) and its digital arm, the National Cyber Security Centre (NCSC), will have the capacity to re-identify the phones of people who have installed the UK coronavirus contact-tracing app. In their open letter to Prime Minister Boris Johnson, the groups, including tech justice nonprofit Foxglove and digital rights campaigners Access Now, argued that the legal framework for the software is inadequate to prevent misuse of personal data. The UK’s contact-tracing app is currently in trials in the Isle of Wight.

-----------

5/15/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/15

  • The Department of Homeland Security (DHS) is preparing to advise the U.S. telecom industry on steps it can take to prevent attacks on 5G cell towers following a rash of serious attacks in Western Europe fueled by conspiracy theories that the technology spreads coronavirus. The theory likely began with a doctor’s interview in a Belgian newspaper in January, who mused that 5G cell towers might be linked to the spread of the virus. These comments went viral, spreading through social media, and have even been promoted by American celebrities. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) will issue the alert with advice on ways to reduce the risk of attack, including installing appropriate sensing and barriers, cyber intrusion detection systems, closed-circuit television, and monitoring drone activity near towers.
  • Nigeria’s SilverTerrier cybercrime group is targeting organizations on the front line in the fight against coronavirus, according to research by Palo Alto Networks’ Unit 42. SilverTerrier is a loosely affiliated cybercriminal group specializing in business email compromise (BEC), a security exploit in which the attacker targets an employee who has access to company funds, and convinces the victim to transfer money into a bank account controlled by the attacker. In the past three months, three SilverTerrier actors have launched a series of COVID-19-themed malware campaigns, producing more than 170 distinct phishing emails aimed at organizations leading national responses to the pandemic such as government, healthcare, insurance, medical research and publishing, and utilities in Australia, Canada, Italy, the U.K., and the U.S.
  • Romanian law enforcement arrested four hackers from the group PentaGuard who were preparing to launch ransomware attacks against Romanian hospitals. Romania’s Director for Investigating Organized Crime and Terrorism (DIICOT) and Romania’s secret service agency (SRI) said the hackers intended to send emails with COVID-19 lures to hospitals to infect computers, encrypt files, and disrupt hospital activity. PentaGuard has been around since 2001, when it was involved in mass-defacements of several government and military websites, including Microsoft Romania.

New Blacklist Data

Note: No new updates. Please see the COVID-19 Daily Update (dated 05/14/2020) for the most recent data.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 05/14/2020-05/15/2020. During this period, RiskIQ analyzed 89,658 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 7,691 unique subject lines observed during the reporting period. The spam emails originated from 5,244 unique sending email domains and 8,940 unique SMTP IP Addresses. Analysts identified 147 emails that sent an executable file for Windows machines.

-----------

5/14/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/14

  • Research by VMware Carbon Black shows that the coronavirus pandemic is correlated with a 238% surge in cyberattacks against banks. It also found upticks in financially-motivated attacks around pinnacles in the news cycle, such as when the U.S. confirmed its first case of COVID-19 as well as the first COVID-19 death.
  • On 13 May, the Federal Bureau of Investigation (FBI) and U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a public service announcement warning organizations researching COVID-19 of likely targeting and network compromise by the People’s Republic of China (PRC). The alert cautioned healthcare, pharmaceutical, and research sectors working on COVID-19 response to be aware of their status as targets and take the necessary steps to protect their systems. The FBI also requests organizations who suspect suspicious activity to contact their local FBI field office.
  • One of Britain’s most powerful academic supercomputers, ARCHER, was the victim of a cyberattack that rendered the network unavailable to users on Tuesday and may have compromised user logins and SSH keys. Sources told The Register that ARCHER is an obvious resource for research work by computational biologists as well as those modeling the potential further spread of the novel coronavirus, and is, therefore, a target for hostile states. According to ARCHER admins, they now believe this to be a major issue across the academic community as other computers were compromised in the U.K. and elsewhere in Europe. The group has been working with the National Cyber Security Centre (NCSC) in order to better understand the situation.
  • Bam Construct and Interserve, two British construction firms that helped build emergency hospitals to cope with the COVID-19 pandemic, have been hit by cyberattacks. Though details on the attacks are sparse, Bam Construct’s spokesman shared that several systems were offline, including its website, while the company neutralizes the attack. He also said that there has been a wave of attacks on firms that are helping the nation’s fight against coronavirus. Interserve confirmed that it was working closely with the National Cyber Security Centre (NCSC) and Strategic Incident Response teams to investigate the attack.
  • Cybercrime in India continues to soar amidst the country’s coronavirus lockdown, with both independent and state-sponsored cybercriminals targeting private citizens’ wallets and personal data. According to India’s National Cyber Security Coordinator (NCSC), criminals have launched thousands of “fraud portals” related to the virus that lure Indians eager to contribute to the fight against coronavirus into making donations. Many of these sites are virtually indistinguishable from their genuine counterparts. State actors are also using COVID-19 as a pretext to launch attacks on India’s key sectors to include defense and national security, as evidenced by last month’s Pakistan-sponsored ransomware and phishing attacks aimed at stealing India’s highly sensitive defense, security, and diplomatic information under the guise of coronavirus health advisories.
  • Adding fuel to the ongoing privacy and security debate over contact-tracing, a Subway employee used information from the company’s contract-tracing forms to stalk a customer in Auckland, New Zealand. The customer was required to provide personal information such as name, home address, email address, and phone number prior to placing a food order. Subway suspended the employee and planned to roll out a new digital contact-tracing system in all restaurants as of 13 May, which they claimed would hold information more securely.

New Blacklist Data

hxxps://onlinetestcovid-19[.]com/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 05/13/2020-05/14/2020. During this period, RiskIQ analyzed 78,200 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 7,096 unique subject lines observed during the reporting period. The spam emails originated from 4,971 unique sending email domains and 9,126 unique SMTP IP Addresses. Analysts identified 146 emails that sent an executable file for Windows machines.

-----------

5/13/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/13

  • Experts are sounding alarms about potential security risks as several states consider allowing online voting amid the COVID-19 pandemic. Both federal officials and cybersecurity experts are strongly urging states to stay away from online voting, arguing it could open up new avenues for interference less than four years after Russia meddled in the 2016 elections. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency joined a group of federal agencies condemning the idea of online voting in guidelines sent to states privately. But, despite concerns around the ability of foreign actors to target online voting systems, some states, such as Delaware, West Virginia, and New Jersey, are forging ahead with limited electronic voting.
  • On 12 May, for-profit managed health care and insurance firm Magellan Health Inc. disclosed that it was the victim of a ransomware attack on 11 April, which resulted in a temporary system outage and the exfiltration of confidential company and personal information from a corporate server. The unauthorized actor gained access to Magellan’s systems through a phishing email that impersonated a Magellan client.
  • According to U.S. officials, Chinese and Iranian threat actors are targeting American universities and health-care firms, allegedly aiming to hinder their efforts to uncover a COVID-19 vaccine. Since early January, hackers from the countries have waged cyberattacks against institutions, aggressively attacking U.S. public health. These acts, according to officials, may be tantamount to an act of war due to the fact that they have hampered vaccine research.

New Blacklist Data

hxxp://covid-19updatenow[.]com/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 05/12/2020-05/13/2020. During this period, RiskIQ analyzed 73,409 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 7,368 unique subject lines observed during the reporting period. The spam emails originated from 5,736 unique sending email domains and 8,831 unique SMTP IP Addresses. Analysts identified 52 emails that sent an executable file for Windows machines.

-----------

5/12/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/12

  • Reuters reported on 8 May that Gilead Sciences, the U.S. drugmaker whose antiviral remdesivir has shown promise for treating coronavirus, has in recent weeks been targeted by hackers tied to Iran. Reuters was unable to determine if any of the attempts were successful and Gilead declined to comment, citing a company policy not to discuss cybersecurity matters.
  • The U.S. trucking industry is anticipating a surge in cyberattacks against commercial carriers. The nation’s reliance on the sector coupled with its large financial footprint make it an attractive target to cybercriminals. However, trucking is even more vulnerable in the work-from-home era when all back-office staff, who typically have weak IT policies to begin with, are now logging in from possibly unprotected home routers and navigating a virtual world with increasing levels of COVID-19-related phishing emails and texts.
  • In an effort to slow the spread of pandemic-related disinformation, Twitter will begin displaying labels and warnings on tweets containing false information about COVID-19. Twitter will assess tweets based on a scale measuring propensity for harm and provide a link encouraging readers to “Get the facts about COVID-19” from public health authorities.
  • Singapore’s SafeEntry contact-tracing surveillance program goes into effect today. Anyone visiting a wide range of locations will need to check-in with either a form of ID or by scanning a QR code on their smartphones. Businesses failing to check-in visitors or customers risk penalties. Recorded SafeEntry data includes names, IDs, phone numbers, as well as times of entry and exit, sparking concerns over surveillance and privacy.

New Blacklist Data

hxxps://covid-192[.]godaddysites[.]com/

hxxp://ibbigov[.]in/covid-19/signin/home/

hxxp://update[.]covid-19-go-id-covid-19-go-id[.]com/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 05/11/2020-05/12/2020. During this period, RiskIQ analyzed 73,661 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 8,886 unique subject lines observed during the reporting period. The spam emails originated from 7,324 unique sending email domains and 8,782 unique SMTP IP Addresses. Analysts identified 80 emails that sent an executable file for Windows machines.

-----------

5/11/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/11

  • The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) are planning to issue a warning accusing China of trying to hack U.S. research on the coronavirus, according to multiple reports. Officials told the New York Times that a public warning is likely to be issued in the coming days. However, a source told the Wall Street Journal that plans around its release could change.
  • DocuSign users on Office 365 are the target of a new phishing campaign that features COVID-19 as a lure. According to researchers at Abnormal Security, 50,000-60,000 DocuSign users have received the phishing email which appears as an automated message from DocuSign with a link to a COVID-related document. The malicious link employs a three-level redirect to obfuscate the end destination—a fake DocuSign login page that is designed to steal user credentials.
  • The Zeus Sphinx banking Trojan (aka Zloader or Terdot) is receiving frequent updates and upgrades to its capabilities while re-focusing its coronavirus scams on North America. According to IBM, the constant upgrades improve the Trojan’s potency and persistence. Zeus Sphinx re-emerged in December but saw a big spike in March 2020 via the use of coronavirus themes. However, since April, it has been primarily targeting North American banks in order to harvest user credentials and personal information from online banking sessions.

New Blacklist Data

hxxps://t-uber[.]me/covid-19/

hxxps://tzetta[.]com/covid-19/signin/home

hxxps://buffalonymedical[.]org/DEPOSlT/COVID-19/Canada/en/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 05/09/2020-05/11/2020. During this period, RiskIQ analyzed 156,186 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 9,353 unique subject lines observed during the reporting period. The spam emails originated from 8,065 unique sending email domains and 9,575 unique SMTP IP Addresses. Analysts identified 0 emails that sent an executable file for Windows machines.

-----------

5/9/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/9

  • Cybercriminals are exploiting the increasing number of layoffs during the ongoing pandemic to recruit new money mules to help launder money. According to research by PhishLabs, the criminals are sending phishing emails to targets in Canada and the United States with the “opportunity” to work from home for $5,000 per month. Some of the messages are generic and instruct the recipient to request more information via email while others impersonate Wells Fargo Human Resources and claim to be recruiting personal assistant positions.
  • Cybersecurity researchers now believe the malicious spearphishing attacks against the World Health Organization (WHO) beginning in early April were likely the work of Iranian state-sponsored hacking group Charming Kitten. Several of the messages sent to WHO were carefully designed to look like legitimate correspondence from the British Broadcasting Corporation and the American Foreign Policy Council, and they prompted recipients to click on a shortened URL that diverted to a malicious domain. The domains featured in the messages—including mobiles[.]identifier-services-session[.]site, sgnldp[.]live, and the link shortening service bitli[.]pro—were hallmarks of Charming Kitten’s previous attacks, according to Clearsky Cyber Security.
  • Israel is preparing to launch a “cyber defense shield” for the country’s health care sector amid a spike in attacks since the beginning of the global COVID-19 pandemic. As planned, the new system, to be developed by FireEye and the Israeli Health Ministry, will provide real-time protection from cyber attacks.
  • Online child exploitation has risen to unprecedented levels in the last few months. John Shehan, vice president of the National Center for Missing and Exploited Children (NCMEC), shared that his organization has received 4.2 million reports of child exploitation content in April--up 2 million from March and nearly 3 million from April 2019. This spike is, in part, due to the rise in children at home on internet-connected devices, which creates additional opportunities for abusers to virtually groom minors. Further, there are also more adults online reporting child abuse material. Child traffickers have evolved their operating models by moving what previously would’ve been face-to-face interactions online through subscription videos and images.

New Blacklist Data

hxxps://freedatacovid-19[.]000webhostapp[.]com/

hxxp://covid-19recuperartd[.]com

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 05/08/2020-05/09/2020. During this period, RiskIQ analyzed 93,606 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 7,519 unique subject lines observed during the reporting period. The spam emails originated from 5,598 unique sending email domains and 9,441 unique SMTP IP Addresses. Analysts identified 232 emails that sent an executable file for Windows machines.

-----------

5/8/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/8

  • With grocery delivery in high demand, many consumers have turned to installing browser extensions to scan for available time slots and complete transactions on platforms such as Instacart and Amazon Fresh. However, these third-party extensions and scripts often perform malicious activity—harvesting personal information and logging keystrokes-—without a user’s knowledge. According to research by PerimeterX, food and grocery delivery experienced a 41% increase in traffic from mid-January to mid-March, which has translated to a large increase in the volume and sophistication of bot attacks across sites.
  • According to a recent study commissioned by Barracuda, nearly half (46%) of global businesses have encountered at least one cybersecurity “scare” since shifting to a remote working model and 49% of respondents anticipate suffering a data breach or security incident in the next month. The study was conducted by independent research agency Censuswide and received responses from over 1,000 business decision-makers in the UK, U.S., France, and Germany. Additional findings note that 40% of respondents had cut their cybersecurity budgets to save money during COVID-19 and 56% plan to continue widespread remote working even after the crisis is over.
  • The U.S. Federal Trade Commission (FTC) reported on 8 May that their warning letters sent to perpetrators of COVID-19-related scams have stopped the false claims and sales of unproven coronavirus treatments in nearly all cases to date. The FTC prioritized the takedown of illegitimate treatments and cures but has also expanded efforts against VoIP service providers making COVID-19 robocalls, as well as multi-level marketing (MLM) companies making exaggerated earnings claims for COVID-19 related business opportunities.

New Blacklist Data

hxxp://covid-19travelinsurance[.]com

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 05/07/2020-05/08/2020. During this period, RiskIQ analyzed 55,121 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 8,329 unique subject lines observed during the reporting period. The spam emails originated from 5,892 unique sending email domains and 8,268 unique SMTP IP Addresses. Analysts identified 0 emails that sent an executable file for Windows machines.

-----------

5/7/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/7

  • On 7 May, RiskIQ launched the COVID-19 Internet Intelligence Gateway to serve as a one-stop cybersecurity resource center where security professionals can submit suspicious COVID-19-related URLs to be crawled and analyzed by RiskIQ as well as receive complimentary resources such as curated URL blacklists.
  • According to research by Secureworks, cyber threat actors are buying and selling U.S. taxpayers’ data on underground forums to facilitate theft of coronavirus-relief stimulus checks and income tax refunds. Some of these scams prompt taxpayers to give up their information and create phony tax forms in advertisements shared on social media while others use phishing pages disguised as the IRS tax forms required for stimulus checks.
  • Microsoft is tracking a surge in Remcos attacks using COVID-19 lures to gain access to organizations across multiple sectors. The campaign uses emails containing malicious IMG files that drop Remcos, a Remote Administration Tool (RAT), which allows attackers to take control of affected machines. As of 4 May, Microsoft observed limited attacks against small businesses in the U.S. seeking disaster loans, accountants in the U.S., and South Korean manufacturing companies.

New Blacklist Data

hxxps://telecharger-test-covid-19[.]crestos[.]info/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 05/06/2020-05/07/2020. During this period, RiskIQ analyzed 108,315 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 10,037 unique subject lines observed during the reporting period. The spam emails originated from 6,868 unique sending email domains and 10,475 unique SMTP IP Addresses. Analysts identified 21 emails that sent an executable file for Windows machines.

-----------

5/6/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/6

  • Research conducted by Coveware indicates that ransomware threat actors continue to take advantage of the economic and workplace disruptions caused by COVID-19. Compared with Q4 in 2019, the average ransomware payment has increased by 33%, totaling $111,605.
  • Fresenius Group, Europe’s largest private hospital operator and major provider of dialysis products globally, was the victim of a likely “Snake” ransomware attack, a new strain of ransomware targeting entire networks rather than individual machines. Fresenius’ spokesperson noted that “while some functions within the company are currently limited, patient care continues.” However, Fresenius provides nearly 40% of dialysis products in the United States and the attack’s impact on dialysis product lines is unclear. COVID-19 causes many patients to experience kidney failure and has created a shortage of dialysis machines and supplies.
  • Hackers have deployed a coronavirus themed mobile app using an existing version of Android screen-locking malware SLocker. The Uzbek-language app called “Koronavirus haqida” or “About Coronavirus” locks the phone and demands a ransom payment to restore functionality. Researchers at Bitdefender say the app has been targeting users in Ukraine, Russia, Kazakhstan, Turkmenistan, India, and North Africa.

New Blacklist Data

hxxps://manboobhelp[.]com/DEPOSlT/COVID-19%20/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 05/05/2020-05/06/2020. During this period, RiskIQ analyzed 111,542 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 10,472 unique subject lines observed during the reporting period. The spam emails originated from 6,985 unique sending email domains and 10,340 unique SMTP IP Addresses. Analysts identified 452 emails that sent an executable file for Windows machines.

-----------

5/5/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/5

  • Britain’s National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on 5 May that hackers are attacking healthcare and research institutions to steal information about efforts to contain COVID-19. The agencies are investigating a number of incidents targeting pharmaceutical companies, research institutions, and universities to include large-scale password spraying campaigns conducted by advanced persistent threat groups.
  • Cybersecurity professionals are warning individuals to exercise caution before downloading apps aimed at combating the ongoing pandemic that might lack security and privacy protections. Developers are racing to produce contact tracing apps that are launching globally, leaving little time for adequate security testing. In addition, many apps are designed to store vast amounts of data in central repositories which makes them attractive cyber targets.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 05/04/2020-05/05/2020. During this period, RiskIQ analyzed 71,937 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 6,623 unique subject lines observed during the reporting period. The spam emails originated from 5,230 unique sending email domains and 9,915 unique SMTP IP Addresses. Analysts identified 7 emails that sent an executable file for Windows machines.

-----------

5/4/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/4

  • Similar to recent attacks in the US that RiskIQ highlighted on 05/01/2020, the UK's National Cyber Security Centre warned the country’s universities and scientific facilities have been subjected to a wave of hacking attempts by other countries in the quest for coronavirus research. According to new details reported by ZDNet on 05/04/2020, the cyberattackers are focused on the theft of valuable information, including customer data, banking records, and corporate intellectual property as well as politically or financially valuable datasets.
  • Ransomware operators demanded 33% more from their victims in Q1 2020 than in the previous quarter, according to BleepingComputer. The average ransom payment from larger enterprises in Q1 2020 was $111,605. Smaller businesses were also targeted for significantly lower ransoms, with a median payment of $44,021.
  • Better Business Bureau (BBB) last week said it saw a spike in online puppy scams. According to the BBB, nearly 85% of people who post pictures of puppies online are just trying to scam you out of money.
  • A hacker is selling a database containing the information of 91 million Tokopedia accounts on a dark web market for as little as $5,000, according to BleepingComputer. Tokopedia is Indonesia's largest online store, with 4,700 employees and over 90 million active users.

New Blacklist Data

Note: No new updates. Please see the COVID-19 Daily Update (dated 05/02/2020) for the most recent data.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 05/02/2020-05/04/2020. During this period, RiskIQ analyzed 188,512 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 16,149 unique subject lines observed during the reporting period. The spam emails originated from 9,305 unique sending email domains and 14,361 unique SMTP IP Addresses. Analysts identified 2 emails which sent an executable file for Windows machines.

-----------

5/2/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/2

  • In the last few weeks, there has been an upswing in people receiving threatening, extortion email messages, demanding payment to avoid the release of sensitive information. According to research by Malwarebytes Labs, the messages are fake, there is no malware involved, and the most important response is to change your password.
  • IBM X-Force discovered actors targeting email recipients with fake messages that claim to be from the department to inform people of changes to the FMLA, which gives employees the right to family-leave medical benefits. Instead, the emails include malicious attachments aimed at installing TrickBot malware which can allow attackers to gain complete control of the device.
  • Threat actors are using the COVID-19 pandemic to impersonate financial institutions on Instagram, according to Security Boulevard reporting. The threat actor creates a private Instagram account referencing COVID-19 using the financial institution's name, its logo, and a link to its legitimate website. The victims receive a direct message from the fake account claiming their profile has been selected to receive a gift, and subsequently, a request for their account and password information.
  • Newly published telemetry data collected by the researchers at Bitdefender suggests that U.S. reports of coronavirus-themed malware threat activity have been heaviest in states where testing has increased and the total number of confirmed infections has grown. According to SC Media reporting, the same trend holds for countries that have been hit hardest by the pandemic.

New Blacklist Data

hxxps://streammarket[.]co[.]uk/covid-19

hxxps://covid19healthstores[.]com/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 05/01/2020-05/02/2020. During this period, RiskIQ analyzed 95,173 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 11,008 unique subject lines observed during the reporting period. The spam emails originated from 7,184 unique sending email domains and 9,571 unique SMTP IP Addresses. Analysts identified 0 emails that sent an executable file for Windows machines.

-----------

5/1/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 5/1

  • US has seen foreign spy agencies carry out reconnaissance of research into a coronavirus vaccine, according to BBC reporting. Bill Evanina, director of the National Counterintelligence and Security Center, said the U.S. government had warned medical research organizations of the risks but he did not say whether there had been confirmed cases of stolen data.
  • Fraudsters have found a way to use the coronavirus pandemic for blackmail, with one phishing scam threatening to ‘infect every member’ of victims’ families with the disease. According to the Organized Crime and Corruption Reporting Project, the email was first publicly identified by internet security company Sophos and demands $4,000 from recipients.
  • Multiple threat actors running phishing attacks on corporate targets have been counting on Microsoft Sway service to trick victims into giving their Office 365 login credentials, according to BleepingComputer. Apart from access to corporate email accounts, scammers also get sensitive business data, which opens a wide range of money-making possibilities.
  • Following the April 26 release of Australian contact tracing mobile application CovidSafe, numerous users were erroneously marked as testing positive for COVID-19, according to LookingGlass reporting. While the number of affected users is unknown, developers are blaming user error as the cause.
  • Researchers at IBM X-Force have discovered a TrickBot campaign that spoofs the US Department of Labor and the message contains information regarding Family and Medical Leave Act (FMLA). According to LookingGlass reporting, the phishing message attachment contains a DocuSign-themed document giving the appearance of legitimacy. The attachment contains macros and Terop.bat, Zipfldr.dll, and Robocopy.exe.

New Blacklist Data

hxxp://fr-precautionslutte-againstcovid-19[.]fr/

hxxps://fightcovid-19[.]ca/

hxxps://www[.]hicovid-19[.]com/

hxxps://classofcovid20[.]com/products/blue-yellow-class-of-2020-covid-19

hxxps://covid-19protectionsupplies[.]com/cart

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/30/2020-05/01/2020. During this period, RiskIQ analyzed 93,634 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 17,440 unique subject lines observed during the reporting period. The spam emails originated from 10,295 unique sending email domains and 11,549 unique SMTP IP Addresses. Analysts identified 11 emails that sent an executable file for Windows machines.

-----------

4/30/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/30

  • Cyber insurance professionals are warning that the COVID-19 pandemic may complicate potential insurance payouts related to cyber attacks, according to LookingGlass reporting. Many cyber insurance policies exclude network-attached devices owned by employees from coverage, meaning a ransomware attack that encrypts employer data on an employee-owned device may fall outside of coverage.
  • Researchers at Kaspersky Labs have observed since March that cybercriminals have shifted to targeting networks with remote desktop protocol (RDP) brute-force attacks. Cybercriminals utilize the compromised account credentials along with automated tools to access these networks. Once gaining access, cybercriminals may steal data, drop malware, or target the network via ransomware, according to LookingGlass reporting.
  • A new phishing campaign is targeting outsourced human resource contractors, according to Help Net Security. The phishing email is sent to employees from an alleged HR contractor informing them that additional stimulus money is being provided to them and asking them to view the latest payroll which leads to a malware download.
  • The infostealer EventBot has targeted Android mobile users of more than 200 different banking, money-transfer services, and general cryptocurrency wallet apps. EventBot was first identified in March 2020 but researchers warn that it’s rapidly evolving with new versions being released every few days, according to ThreatPost reporting.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/29/2020-04/30/2020. During this period, RiskIQ analyzed 81,958 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 16,984 unique subject lines observed during the reporting period. The spam emails originated from 12,534 unique sending email domains and 11,216 unique SMTP IP Addresses. Analysts identified 106 emails that sent an executable file for Windows machines.

-----------

4/29/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/29

  • Internal Revenue Service system for sending out COVID-19 relief payments is vulnerable to fraud, according to NPR reporting. Because of the way the system is set up, fraudsters can obtain the Coronavirus payments of a certain segment of vulnerable Americans with just their date of birth, social security number and address — information that is easily available to criminals online.
  • Zscaler reported seeing an increase of 30,000% in phishing, malicious websites, and malware targeting remote users—all related to COVID-19 since January 2020. The researchers found phishing attacks based around COVID-19 targeted corporations as well as consumers.
  • Microsoft is warning users that malicious actors are now trying to infect potential victims with malware delivered via pirate streaming services and torrent downloads, according to BleepingComputer. The attackers behind this campaign are primarily targeting home users in Spain and some South American countries with the end goal of launching a coin miner directly into the compromised devices' memory.
  • Netflix users have taken to social media to report receiving suspicious texts, offering them “free passes” to the streaming service if they click a specific link, according to The Next Web. Netflix reportedly said they have no involvement in the campaigns, even though the URL in the suspicious texts contains its name. The users are most likely being targeted in a phishing campaign.
  • More than 170 UK researchers and scientists working in information security and privacy have signed a joint statement about their concerns over NHS plans to use a contact-tracing app to help contain the coronavirus outbreak, according to ZDNet reporting. The statement comes after the NHS and the government rejected a joint approach put forward by Apple and Google to help trace the spread of the virus, instead choosing to develop a separate tool for the UK.

New Blacklist Data

hxxps://mlskitchensmanchester[.]com/COVID-19%20/Canada/en/directing/www[.]atbonline[.]com/ATB/

hxxp://hicovid-19[.]com/

hxxp://covid-19usatimes[.]xyz/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/28/2020-04/29/2020. During this period, RiskIQ analyzed 94,649 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 16,523 unique subject lines observed during the reporting period. The spam emails originated from 13,431 unique sending email domains and 11,049 unique SMTP IP Addresses. Analysts identified 376 emails that sent an executable file for Windows machines.

-----------

4/28/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/28

  • Australia's Ambassador for Cyber Affairs, Dr. Tobias Feakin has called for an end to attacks on medical facilities, such as the recent cyber attack on one of the Czech Republic's biggest COVID-19 testing laboratories. He stated to ZDNet that "[w]e call on all countries to cease immediately any cyber activity inconsistent with their international commitments.”
  • The cyber attackers behind the Shade ransomware (Troldesh) have shut down their operations, released over 750,000 decryption keys, and apologized for the harm they caused their victims, according to BleepingComputer. Shade Ransomware has been in operation since 2014 and predominantly targets people in Russia and Ukraine.
  • Some Sophos firewall products were attacked with a new Trojan malware, dubbed Asnarök, to steal usernames and hashed passwords, according to BleepingComputer. The malware exploits a zero-day SQL injection vulnerability that can lead to remote code execution on any unpatched physical and virtual firewalls it targets.
  • Zoom users are being targeted with a new phishing campaign that uses fake Zoom meeting notifications to threaten those who work in corporate environments that their contracts will either be suspended or terminated. When users click on the link they are redirected to a phishing landing page that mimics a Zoom sign-in page and scammers are able to steal the victims’ credentials.
  • Cybercriminals are creating new scams using COVID-19 delivery issues as a lure to get people to visit malicious links or open malware, according to BleepingComputer. In one example, the scammer sends an email that pretends to be from FedEx stating that due to the Coronavirus "lock-down," a package is being held at the warehouse. They then prompt the user to click on a phishing link to reschedule for pick up.
  • A few new COVID-19 related scams in the underground web marketplace include scammers offering an Israel-created ‘vaccine’ for $99. Another scammer posted a malicious MP3 file and informed users they needed to listen to it 3-6 times per day to eliminate COVID-19, according to Tripwire. Related, the United Kingdom’s National Cyber Security Centre (NCSC) reportedly took down over 2,000 COVID-19 ploys in March, including 471 fake online shops, according to the BBC.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/27/2020-04/28/2020. During this period, RiskIQ analyzed 75,253 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 14,525 unique subject lines observed during the reporting period. The spam emails originated from 12,145 unique sending email domains and 8,678 unique SMTP IP Addresses. Analysts identified 102 emails that sent an executable file for Windows machines.

-----------

4/27/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/27

  • Trump administration is pointing the finger at China and Russia for attempting to steal coronavirus research as officials have seen an increase in cyberattacks on US government agencies and medical institutions leading the pandemic response. John Demers, the head of the Justice Department's National Security Division, told CNN that "[t]here is nothing more valuable today than biomedical research relating to vaccines for treatments for the coronavirus… it’s of great importance not just from a commercial value but ... it is going to have a significant geopolitical success story."
  • Nintendo said over 160,000 accounts have been hacked, due to attackers abusing a legacy login system. According to user complaints, unauthorized actors were logging into victims’ accounts and abusing the payment cards connected to the accounts to buy digital goods on Nintendo’s online stores, such as V-Bucks, in-game currency used in Fortnite, according to Threatpost reporting. Nintendo has now disabled the ability to log into a Nintendo account using NNID.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/25/2020-04/27/2020. During this period, RiskIQ analyzed 140,948 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 29,735 unique subject lines observed during the reporting period. The spam emails originated from 19,439 unique sending email domains and 12,444 unique SMTP IP Addresses. Analysts identified 318 emails which sent an executable file for Windows machines.

-----------

4/25/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/25

  • From at least January - April 2020, hackers working for the Vietnamese Government have been targeting Chinese Government organizations tasked with managing the country’s response to the coronavirus pandemic. According to research by FireEye, the hackers, who are likely identifiable with APT32 (also known as OceanLotus), sent emails containing the METALJACK malware to employees at China’s Ministry of Emergency Management and the government of Wuhan to obtain non-public information on the crisis.
  • Two spearphishing campaigns leveraged the Agent Tesla information-stealing Trojan to target the oil and gas industry before and during a meeting between OPEC+ and the Group of 20 regarding oil production and pricing during the COVID-19 pandemic. The first campaign began around March 31st and featured emails that appeared to come from Enppi, an oil company owned by the Egyptian government. These emails were sent widely to targets in Malaysia, the United States, Iran, South Africa, Oman, and others according to research conducted by Bitdefender. The second campaign began around 12 April and impersonated a shipment company to target victims in the Philippines.

New Blacklist Data

hxxp://covid-19remint[.]com/

hxxp://promo-covid-19[.]net/

hxxp://gente-covid-19[.]gq/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/24/2020-04/25/2020. During this period, RiskIQ analyzed 115,926 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 18,619 unique subject lines observed during the reporting period. The spam emails originated from 11,428 unique sending email domains and 9,812 unique SMTP IP Addresses. Analysts identified 37 emails that sent an executable file for Windows machines.

-----------

4/24/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/24

  • Five US Senators sent a letter on 04/20/2020 to the Cybersecurity and Infrastructure Security Agency (CISA) and US Cyber Command (CYBERCOM) requesting them to bolster their defense of the US healthcare sector from cyber threats, according to LookingGlass reporting. The letter included six measures. Most notably, they encouraged CISA and CYBERCOM to conduct offensive hacking to protect the healthcare sector.
  • FBI issued an alert on 04/23/2020 after observing at least two attempts by cybercriminals to initiate fraudulent SWIFT messages through third-party vendors who provide this messaging service to small businesses. The cybercriminals employed social engineering techniques against the targeted third-party vendors in order to initiate fraudulent money transfers.

New Blacklist Data

hxxp://cdestudiantes[.]com/covid-19/Encoded/

hxxp://covid-19recuperartd[.]com/

hxxp://gouv-federalsubsidiescovid-19crisis[.]com/

hxxps://nagrania-covid-19[.]ct8[.]pl/

hxxps://spartansuppz[.]com/pages/covid-19-shipping-updates/

hxxp://com[.]promo-covid-19[.]net/

hxxp://portal[.]auone[.]jp-verifykey[.]covid-191[.]com/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/23/2020-04/24/2020. During this period, RiskIQ analyzed 83,201 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 10,649 unique subject lines observed during the reporting period. The spam emails originated from 14,779 unique sending email domains and 9,485 unique SMTP IP Addresses. Analysts identified 0 email which sent an executable file for Windows machines.

-----------

4/23/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/23

  • Zoom announced a series of security improvements designed to address many of the concerns raised in recent weeks. Zoom reported that account administrators will be able to choose which data center regions they want to use for real-time meeting traffic. The vendor also said the upcoming Zoom 5.0, scheduled for release within the next week, will introduce AES 256-bit GCM encryption, which should provide better protection for meeting data.
  • Members of the Cyber Threat Coalition reported on 04/20/2020 a change in tactics from malicious actors that leverage the COVID-19 pandemic. As the US and European countries instituted social distancing measures, threat actors registered domains that included themes of the pandemic. Now, threat actors appear to be switching their focus to spreading scams, phishing, or malware and focusing on leveraging existing domains for more lucrative techniques, according to LookingGlass reporting.
  • Iran’s Charming Kitten and other nation-state actors are using the coronavirus pandemic to their advantage, for espionage, according to ThreatPost reporting. According to Google’s Threat Analysis Group (TAG), more than a dozen nation-state-backed APTs are using the COVID-19 pandemic as a cover for their various cyberespionage and malware activities.
  • Cybercriminals continue to tailor their attack methods to take advantage of fears stemming from the COVID-19 pandemic, targeting medical providers with directed email phishing attacks, according to Health IT Security reporting. Cyber attackers are launching double extortion ransomware, hijacking video conferencing, targeting Virtual Private Networks (VPNs), and ramping up business email compromise schemes and fraud attempts.
  • Small Business Administration admitted their online application portal may have been compromised in late March affecting nearly 7,900 Economic Injury Disaster Loans. The information believed to be leaked includes applicants’ social security numbers, contact information, addresses, and more. The issue has been addressed and the portal has been relaunched, according to LookingGlass reporting.

New Blacklist Data

hxxp://covidhelptips[.]com/Covid-19updates/

hxxp://hardfastlife[.]com/rack/rackspace-Covid-19/racksp/

hxxp://thechristianwardrobe[.]us/Covid-19/Ontario/Governement/

hxxps://www[.]im4free[.]com/wp-admin/Quarantine/Covid-19/Rich/main/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/22/2020-04/23/2020. During this period, RiskIQ analyzed 121,539 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 15,655 unique subject lines observed during the reporting period. The spam emails originated from 20,927 unique sending email domains and 11,718 unique SMTP IP Addresses. Analysts identified 0 emails that sent an executable file for Windows machines.

-----------

4/22/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/22

  • Unknown activists have posted nearly 25,000 email addresses and passwords allegedly belonging to the National Institutes of Health, the World Health Organization, the Gates Foundation, and other groups working to combat COVID-19, according to the SITE Intelligence Group. SITE said the information was released 04/19/2020 and 04/20/2020 and almost immediately used to foment attempts at hacking and harassment by far-right extremists.
  • Researchers at Bitdefender discovered that Linksys routers have been affected by a malware campaign, according to LookingGlass reporting. At least 1,200 Linksys Smart Wi-Fi application users had their DNS settings altered to redirect the victims to a malware-serving website that delivers the Oski information stealer.
  • Netherlands National Institute for Public Health and the Environment (RIVM) announced on 04/20/2020 that it had been impersonated in a COVID-19 SMS scam, according to LookingGlass reporting. The SMS contained a potentially malicious link and referenced the [NL-Alert] tag that the Netherlands uses for crisis communication.

New Blacklist Data

hxxps://covid-19normallife[.]com/

hxxp://vrcovid-19[.]com/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/21/2020-04/22/2020. During this period, RiskIQ analyzed 199,782 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 15,189 unique subject lines observed during the reporting period. The spam emails originated from 9,196 unique sending email domains and 13,864 unique SMTP IP Addresses. Analysts identified 1 email which sent an executable file for Windows machines.

-----------

4/21/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/21

  • The Federal Trade Commission on 04/20/2020 offered guidance for avoiding coronavirus stimulus payment scams including: only use irs.gov/coronavirus to submit information to the IRS; don’t respond to anyone posing as an IRS representative via phone, email, text message, or social media; don’t pay anyone to get your stimulus money for you; and, don’t respond to anyone claiming you have to return money because your stimulus payment was more than what was owed you.
  • The Federal Bureau of Investigation on 04/21/2020 alerted medical providers to targeted email phishing attempts which leverage email subject lines and content related to COVID-19 in order to distribute malicious attachments. The attachments exploit Microsoft Word Document files, 7-zip compressed files, Microsoft Visual Basic Script, Java, and Microsoft Executables.
  • Related, hackers have deployed ransomware on U.S. hospital and government systems using stolen Active Directory credentials, according to Bleeping Computer. The attacks occurred months after exploiting a known remote code execution (RCE) vulnerability in their Pulse Secure VPN servers. Even though the vulnerability tracked as CVE-2019-11510 was patched by Pulse Secure last year, the U.S. Cybersecurity and Infrastructure Security Agency reminded organizations in January 2020 to patch their Pulse Secure VPN servers against ongoing attacks.
  • Hackers are sending emails offering COVID-19 testing but are encrypted with hidden tracking malware called “Trickbot” which is engineered to record passwords and bank data, according to Microsoft Security Intelligence. According to Microsoft Security, 60,000 of the malware-laden emails are stopped daily before they can attack an unwary recipient.
  • The ‘Covid19 Alert’ mobile application leaks user data. Experts found the issue after its code was published online on 04/18/2020. The source files included a database from another application that was part of a project of the software house Immotef, which contains data from Dutch users of that app, according to Security Affairs reporting.
  • Within minutes of the U.K. government’s furlough plan going live, it was targeted by hackers impersonating HM Revenue and Customs, the country’s tax collection agency. According to CNBC reporting, hundreds of phishing emails landed in people’s inboxes inviting them to click on a link that takes them to what looks like an HMRC furlough claim website. The fraudulent website asks people to fill in their personal, card and bank account details. But instead of going to HMRC, the details go to the hackers.

New Blacklist Data

hxxp://nxt27893[.]nextadmin[.]hu/wp-content/plugins/salem/amex/American-Express-Covid-19-Stay-at-home/home/

hxxps://taikisushi[.]com/COVID-19/

hxxp://www[.]covid-19-uk-relieve[.]com/

hxxp://jayalbertandassociates[.]com/sector/who/COVID-19/

hxxp://www[.]interacservcovid-19[.]com/

hxxp://COVID-19-shop[.]rf[.]gd/?ebay[.]co[.]uk/VAT

hxxp://freeeasy-life[.]com/en/wordpress/wp-includes/Covid-19/onedrive4D/

hxxp://clearvale53[.]com/amex/American-Express-Covid-19-Stay-at-home/home/

hxxp://www[.]plantingvelve[.]com/UpdatesCOVID-19/

hxxps://rijosfoods[.]com[.]br/Covid-19/Gouvernement/

hxxps://covid-19update[.]zap515988-1[.]plesk10[.]zap-webspace[.]com/QWE/CDI/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/20/2020-04/21/2020. During this period, RiskIQ analyzed 154,477 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 15,453 unique subject lines observed during the reporting period. The spam emails originated from 8,085 unique sending email domains and 16,005 unique SMTP IP Addresses. Analysts identified 8 emails that sent an executable file for Windows machines.

-----------

4/20/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/20

  • With the massive shift to telework as a result of the COVID-19 pandemic some workers are using their own hardware and sometimes downloading free applications without first taking precautions with the help of the security department, according to Bank Info Security. Additionally, some organizations are relying on collaboration tools, without the knowledge of the IT department, to work on joint projects with other organizations.
  • Gameradon, an advanced persistent threat (APT) group, is using COVID-19 lures in a phishing campaign. Trend Micro reported on 04/17/2020 that they discovered an email with the subject “Coronavirus (2019-nCoV)” with a malware attachment and Gameradon signatures. The campaign is targeting victims in European countries and others.
  • Cyber criminals are using coronavirus-themed voicemail notifications in Office 365 to steal credentials. The notification of a voicemail is sent as an attachment when the user clicks the file they are directed to a Microsoft Office 365 (O365) phishing page requiring login credentials.
  • Hackers have deployed ransomware on the systems of U.S. hospitals and government entities using stolen Active Directory credentials months after exploiting a known remote code execution (RCE) vulnerability in their Pulse Secure VPN servers.
  • The government of North Rhine-Westphalia, a province in western Germany, is believed to have lost tens of millions of euros after it failed to build a secure website for distributing coronavirus emergency aid funding. The funds were lost following a classic phishing operation. Cybercriminals created copies of an official website that the NRW Ministry of Economic Affairs had set up to distribute COVID-19 financial aid.
  • LookingGlass reported that after patching two critical flaws to the Cisco WebEx teleconferencing platform, vulnerabilities remain. One vulnerability potentially allows unauthenticated users to execute remote code or a denial of service attack. Related, on 04/08/2020, researchers discovered a phishing campaign designed to mimic a security warning for WebEx to steal credentials.
  • Department of Homeland Security is warning that cyber actors are trying to leverage a known remote code execution vulnerability in Pulse Secure VPN servers. This vulnerability recently enabled cyber actors to target Travelex by utilizing Sodinokibi (REvil) ransomware and gain USD 2.3 million, according to LookingGlass reporting.

New Blacklist Data

hxxps://amqelendez[.]com/covid-19/your/Gouvernement/

hxxps://amelenedez[.]com/Covid-19/Bc/Government/

hxxps://www[.]bankofamericacovid-19[.]com/

hxxp://avisobancosantanders[.]com/santander%202020/Particulares

hxxps://covid-19rc[.]com/mazon/8f369/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/18/2020-04/20/2020. During this period, RiskIQ analyzed 315,508 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 20,997 unique subject lines observed during the reporting period. The spam emails originated from 10,734 unique sending email domains and 18,274 unique SMTP IP Addresses. Analysts identified 0 emails that sent an executable file for Windows machines.

-----------

4/18/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/18

  • FBI confirmed reconnaissance activity and some intrusions into COVID-19 research centers. According to a Reuters report, FBI deputy assistant director Tonya Ugoretz has confirmed the Bureau has seen intrusions into companies and institutions actively researching COVID-19 treatments.
  • U.S. Federal Trade Commission (FTC) reported that, from January 1 through April 15, U.S. consumers registered 18,257 complaints related to the coronavirus, over 10,000 of which were reports of fraud. According to the FTC, 46% of the fraud victims reported a consequential financial loss, totaling $13.44 million. The median fraud loss per person was $557.
  • Government of North Rhine-Westphalia, a province in western Germany, is believed to have lost tens of millions of euros after it failed to build a secure website for distributing coronavirus emergency aid funding. The funds were lost following a classic phishing operation. The scheme lasted from mid-March to April 9, when the NRW government suspended payments and took down its website.
  • A police department in Maine is warning the public against a text message-based coronavirus scam. The scam message reads, “someone who came in contact with you has tested positive or has shown symptoms for COVID-19 & recommends you self-isolate/get-tested.” The alert is not from an official agency and officers from the department have told residents not to click through to the link, which police believe could be a phishing scam to grab victims’ personal information.

New Blacklist Data

hxxp://www[.]netflix-covid-19[.]com/Netflix_Urochi/Home/login

hxxps://covidaid[.]co/

hxxps://idonateforcovid-19[.]webnode[.]com/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/17/2020-04/18/2020. During this period, RiskIQ analyzed 134,233 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 12,129 unique subject lines observed during the reporting period. The spam emails originated from 7,135 unique sending email domains and 11,509 unique SMTP IP Addresses. Analysts identified 2 emails which sent an executable file for Windows machines.

-----------

4/17/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/17

  • The FBI has seen a spike in cyber crimes reported to its Internet Crime Complaint Center (IC3) since the beginning of the COVID-19 pandemic, as both domestic and international hackers look to take advantage of Americans' daily activities moving increasingly online. The FBI has received between 3,000 to 4,000 cybersecurity complaints each day, a major jump from the days prior to the COVID-19 pandemic when about 1,000 complaints were received daily.
  • Google says it blocks 18 million COVID-19-related scam emails each day and that's not counting more than 240 million daily spam messages launched at Gmail users that try to capitalize on the coronavirus crisis.
  • A cybersecurity resource developed jointly by the American Medical Association and American Hospital Association (AHA), gives guidance on protecting remote workplaces, as many physicians now work from home to care for patients during the COVID-19 pandemic. The resource, “Working from home during the COVID-19 pandemic,” tells physicians about immediate steps they can take to strengthen home or hospital-based computers, networks, and medical devices from the rise in COVID-19-themed security threats and attacks.

New Blacklist Data

hxxps://personnel[.]ky[.]gov/Documents/PERS%20Covid-19%20Action%20Steps[.]pdf

hxxp://securecovid-19[.]noez[.]me/

hxxp://www[.]kfccovid-19[.]com/

hxxps://www-origin[.]sony[.]jp/professional/support/covid-19_a/

hxxps://covid-19[.]msitxpress[.]com/

hxxps://www[.]covid-19[.]pt/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/16/2020-04/17/2020. During this period, RiskIQ analyzed 174,931 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 17,352 unique subject lines observed during the reporting period. The spam emails originated from 24,551 unique sending email domains and 16,185 unique SMTP IP Addresses. Analysts identified 28,480 emails that sent an executable file for Windows machines.

-----------

4/16/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/16

  • Hackers are selling two critical vulnerabilities for the video conferencing software Zoom that would allow someone to hack users and spy on their calls, according to Motherboard. The two flaws are zero-days, and are currently present in Zoom’s Windows and macOS clients, according to the report.
  • Researchers from BitSight found that remote-work users are more likely to have malware on their devices, according to LookingGlass reporting. BitSight found that Trickbot malware was three times more likely and the Mirai botnet was twenty times more likely to be on home office networks than corporate networks. The Trickbot malware has been leveraged in order to deliver Ryuk ransomware to target hospitals, local and state governments, and corporations.
  • Facebook said today it will begin alerting users if they have interacted with harmful misinformation about COVID-19. This effort is a part of a series of new, aggressive steps to combat what health authorities have described as a global “infodemic.”
  • Governments are imposing new digital surveillance tools to track and monitor individuals to slow the pandemic. While many citizens have welcomed tracking technology, some privacy advocates are wary, concerned that governments might not be inclined to unwind such practices after the health emergency has passed, according to the Wall Street Journal.

New Blacklist Data

hxxps://stayactive-covid-19[.]com/

hxxps://letsfightcovid-19[.]org/

hxxps://covid-19[.]com[.]im/

hxxps://covid-19-medical-mask[.]com/

hxxps://covid-19maskprovider[.]com/

hxxps://covid-19contained[.]com/

hxxps://covid-19campaign[.]com/

hxxp://coronavirustbt[.]com/

hxxps://mta[.]nausal[.]com/amex/American-Express-Covid-19-Stay-at-home/home/

hxxp://American-Express[.]xvmiznat[.]com/

hxxps://no-covid-19-shop[.]myshopify[.]com/

hxxps://worldwear3[.]com[.]au/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/15/2020-04/16/2020. During this period, RiskIQ analyzed 178,289 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 19,002 unique subject lines observed during the reporting period. The spam emails originated from 11,738 unique sending email domains and 14,476 unique SMTP IP Addresses. Analysts identified 987 emails that sent an executable file for Windows machines.

-----------

4/15/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/15

  • Two Canadian organizations involved in work on COVID-19—one a government body—have been the targets of recent ransomware attacks, according to a report from Palo Alto Networks Inc. In one of the attacks, targets received an email with a file attachment named “20200323-sitrep-63-covid-19.doc” that, if opened, would encrypt files on their computer until a ransom had been paid.
  • Hackread.com discovered on 04/11/2020 that the personal data of 1.41m US doctors was being sold on hacker forums. The physicians’ data was stolen from qa.findadoctor[.]com, an online service that lets people search for healthcare professionals, book instant appointments, and consult with doctors online. The targeted website is based in Edison, NJ and it claims to have registered 100,000+ doctors and 5,000+ members.
  • On 04/14/2020 Senators Hirono (D-Hawaii), Booker (D-N.J.), and Hassan (D-N.H.) called on the leaders of eight domain name registrars and hosting sites to combat scams and misinformation during the COVID-19 pandemic. The Senators asked the executives of GoDaddy, Dynadot, Donuts Inc., Namecheap Inc., Web.com, Endurance International Group, InMotion Hosting, and DreamHost to explain the steps their companies are taking to combat misinformation about the COVID-19 pandemic.

New Blacklist Data

hxxps://www[.]descovid-19[.]com/home/

hxxps://daneili-corus[.]com/covid-19/SFExpress/gez1wat22q5fh0apsf67pxct[.]php

hxxps://todaysperfectgift[.]xyz/wp-includes/sodium_compat/amex/American-Express-Covid-19-Stay-at-home/home/

hxxps://www[.]covid-19-medllevensohn[.]com/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/14/2020-04/15/2020. During this period, RiskIQ analyzed 170,387 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 18,453 unique subject lines observed during the reporting period. The spam emails originated from 8,391 unique sending email domains and 19,694 unique SMTP IP Addresses. Analysts identified 583 emails which sent an executable file for Windows machines.

-----------

4/14/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/14

  • Thirty advocacy and research groups are urging Vice President Pence and the White House Coronavirus Task Force to combat COVID-19 fraud attempts and other patient harms. Hackers have continued to target the healthcare sector during the pandemic and the advocacy groups are urging the government to develop and distribute clear, decisive science-based methods to protect US individuals from online schemes, according to Health IT Security reporting.
  • Armor, a global cybersecurity software provider, has identified 17 new U.S. school districts and colleges that have been hit by ransomware since January. Only four of the schools reported the type of ransomware that was used to attack them. The malware used included Sodin, Ryuk, and Maze.
  • Cybercriminals are utilizing dedicated JavaScript-based malware powered by Woocommerce to target businesses operating online, according to LookingGlass reporting dated 4/13/2020. Woocommerce is a free open-source WordPress plugin and cybercriminals use brute-force admin passwords on Woocommerce and WordPress in order to leverage a card skimmer malware.
  • U.S. Federal Trade Commission says that approximately $12 million was lost to COVID-19 related scams according to complaints received since January 2020. According to the FTC, consumers reported losing a total of $12.78M to fraud with a median loss of $570. Related, there are nearly 142 open investigations into hoarding or price-gouging nationwide, with many more fraud investigations underway in every US Attorney’s Office in the country, according to CNN affiliate reporting.
  • As part of a case coordinated by Europol and Interpol, financial institutions and authorities across Germany, Ireland, the Netherlands, and the United Kingdom have foiled an attempt to cheat health authorities out of millions of euros by selling them non-existent face masks. This operation, which has already led to two arrests in the Netherlands, is ongoing as investigators across Europe work through the leads.

New Blacklist Data

hxxp://covid-19[.]gursky[.]info/

hxxps://soini[.]fi/wordpress/wp-content/images/zeb/American-Express-Covid-19-Stay-at-home/home/

hxxps://dostaana[.]ml/COVID-19/app/signin

hxxps://descovid-19[.]com/home/

hxxp://pp-covid-19[.]com/

hxxp://covid-19-informations[.]000webhostapp[.]com/

hxxp://beygull[.]com/wp-admin/xp-entlogin/American-Express-Covid-19-Stay-at-home/home/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/13/2020-04/14/2020. During this period, RiskIQ analyzed 152,106 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 11,555 unique subject lines observed during the reporting period. The spam emails originated from 7,309 unique sending email domains and 11,153 unique SMTP IP Addresses. Analysts identified 44 emails that sent an executable file for Windows machines.

-----------

4/13/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/13

  • As companies begin to lock down their video conferencing calls behind passwords due to ‘zoombombing’ reports, attackers are now posting and selling video conferencing credentials online, according to DarkReading reporting. The credentials could be used for denial-of-service attacks and pranks such as Zoombombing, as well as for eavesdropping and social engineering.
  • San Francisco International Airport (SFO) on 04/10/2020 disclosed a data breach after two of its websites, SFOConnect.com and SFOConstruction.com, were hacked in March. According to a notice of data breach sent to all SFO Airport commission employees, the attackers may have gained access to the login credentials of users registered on the two breached sites, according to Bleeping Computer reporting.
  • Cisco Talos observed ransomware actors threatening to release sensitive information from victims as a means of further compelling them to pay. In one attack the cybercriminals attacked a government organization and published a ransom note and screenshots of compromised critical systems, including the Active Directory (AD) structure, on Twitter.
  • LookingGlass has observed a steady uptick in posts claiming to sell COVID-19 testing and treatment products, as well as protective gear. LookingGlass analysts also found numerous Telegram channels advertising hydroxychloroquine, chloroquine, and azithromycin—medications used to treat COVID-19 symptoms. The majority of these channels serve as bait and lead to third-party sources and rogue pharmacy websites that sell prescription drugs without prescriptions and ship them globally, including to the US.
  • Related, the FBI uncovered an international COVID-19 fraud scheme after more than 39 million masks promised to a California union representing health-care workers were never delivered to hospitals or other medical groups in the state, according to Fox News reporting. The FBI initially began to track the deal to determine if the 39 million masks should be intercepted for the Federal Emergency Management Agency under the Defense Production Act. That’s when the investigators found fraud had been committed.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/11/2020-04/13/2020. During this period, RiskIQ analyzed 309,145 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 29,946 unique subject lines observed during the reporting period. The spam emails originated from 7,108 unique sending email domains and 13,272 unique SMTP IP Addresses. Analysts identified 575 emails that sent an executable file for Windows machines.

-----------

4/11/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/11

  • Adapting the new economic realities from COVID-19, cybercriminals are offering steep discounts on their services, tools, and stolen data. According to research by Group-IB and Gemini Advisory, dark web vendors began dropping prices anywhere from 20-40% at the end of February/early March to drive sales at least through April 2020.
  • On April 10, 2020, KrebsOnSecurity warned that the new Internal Revenue Service (IRS) site for Economic Impact Payments could make it easy for thieves to intercept some stimulus payments. Because millions of U.S. residents aren’t required to file a tax return, the IRS is asking these “non-filers” to use the new website to provide their bank account information to receive stimulus payments. However, the loose identification requirements, as well as the availability of Personally Identifiable Information (PII) online, will likely cause an increase in fraudulent applications.
  • According to research by Chainalysis, cryptocurrency scammers’ incomes fell 30% during March 2020, despite attempts to leverage COVID-19. Though they appear to be reaching similar numbers of victims, the cryptocurrency price drops spurred by the pandemic have drastically reduced the revenue of Ponzi schemes and investment scams that make up most cryptocurrency scamming.

New Blacklist Data

hxxp://kfc-covid-19[.]com/

hxxps://covid-19-test-org-uk[.]myshopify[.]com/

hxxps://covid19normalityrelief[.]com/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/10/2020-04/11/2020. During this period, RiskIQ analyzed 149,333 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 15,552 unique subject lines observed during the reporting period. The spam emails originated from 7,076 unique sending email domains and 11,152 unique SMTP IP Addresses. Analysts identified 1,718 emails that sent an executable file for Windows machines.

-----------

4/10/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/10

  • Phishing scammers have started to impersonate President Trump and Vice President Mike Pence in emails that distribute malware or perform extortion scams. These emails state they are the latest "Coronavirus Guidelines for America" and prompt the recipient to click on a link to download a document, according to Bleeping Computer reporting.
  • The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Cisco WebEx credentials via a security warning for the application, which Cisco’s own Secure Email Gateway fails to catch. Attackers are exploiting the fact that millions of people are working from home and using brands like WebEx to deliver malicious emails to users.
  • Over a 24-hour period, Microsoft detected a massive phishing campaign using 2,300 different web pages attached to messages and disguised as COVID-19 financial compensation information that actually led to a fake Office 365 sign-in page to capture credentials, according to Dark Reading reporting. Cybercriminals are also actively discussing the collaboration platforms, virtual private networks, and systems currently used by companies for remote work.
  • On 04/09/2020 Facebook filed a lawsuit in federal court in California against Basant Gajjar, according to the company’s blog. Gajjar provided cloaking software, LeadCloak, and services designed to circumvent automated ad review systems to run deceptive ads on Facebook and Instagram. LeadCloak’s software also targeted a number of other technology companies including Google, Oath, WordPress, Shopify, and others.
  • Apple Inc. and Google will build software together that would alert people if they were in contact with someone infected with the coronavirus, an unprecedented collaboration between two Silicon Valley giants and rivals. The project, which is certain to raise privacy concerns, offers the most concrete technological solution to date for governmental authorities searching for ways to lift, at least partially, lockdown orders that have swept across the nation.

New Blacklist Data

hxxps://chofnn-cn[.]com/coc/COVID-19/index[.]php

hxxps://crushincovid[.]com/

hxxps://webbfilms[.]co[.]uk/wp-content/plugins/plugins/amex/American-Express-Covid-19-Stay-at-home/

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/09/2020-04/10/2020. During this period, RiskIQ analyzed 127,186 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 14,700 unique subject lines observed during the reporting period. The spam emails originated from 8,724 unique sending email domains and 14,915 unique SMTP IP Addresses. Analysts identified 785 emails which sent an executable file for Windows machines.

-----------

4/9/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/9

  • According to researchers at Kaspersky Labs, nearly 120,000 malware and adware packages were observed in April on remote conferencing platforms, including Skype, Zoom, WebEx, GoToMeeting, Flock, Slack, join.me, Lifesize, HighFive, and Msteams. These platforms had Dealply adware, DownloadSponsor, malware disguised as.LNK files, and/or trojans.
  • Google issued a ban on the use of the Zoom teleconferencing platform for employees due to the recent security issues with the platform.
  • Interpol warned hospitals and healthcare organizations to be aware that cybercriminals are ramping up the number of ransomware attacks targeting their facilities. Related, RiskIQ’s researchers studied ransomware attacks on healthcare organizations and found that cybercriminals tend to go after small, direct-patient care facilities such as hospitals or health care centers, likely due to their lean security support. Cybercriminals often search for unknown, unprotected, and unmonitored digital assets which tend to increase as digital attack surfaces expand and become more complex with some staff working from home.
  • US Secret Service warned that cybercriminals are taking advantage of an unpatched, decades-old Microsoft Office vulnerability to deliver malware. The malware spreaders were seeking to exploit the two-decade-old Microsoft Office memory corruption vulnerability CVE-2017-11882, for which Microsoft released a security patch in November 2017.
  • Corporate technology leaders are facing shortages of laptops and other devices that have enabled the sudden shift to remote work amid the coronavirus pandemic, according to the Wall Street Journal.

-----------

4/8/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/8

  • A joint advisory published today by the U.K.’s National Cyber Security Centre (NCSC) and U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) shows that malicious groups online are targeting individuals and organizations with a range of ransomware and malware. The cyber criminals are also scanning for vulnerabilities in software and remote working tools, the agencies say. Likewise, CISA warned on 4/03/2020 that cybercriminals are exploiting critical vulnerabilities associated with the Firefox browser. To address these flaws, Firefox was updated to plug the holes, and users should automatically receive these updates unless they disabled this capability.
  • China’s gamers were the largest group of victims amid a spike in internet scams during the country's COVID-19 outbreak as millions of quarantined people turned to online games to alleviate boredom. The Chinese experience should serve as a warning to other gamers as gaming services like Twitch and Discord are booming with millions of people shifting to life online, according to Bloomberg News.
  • Researchers found at least 10,450 accounts on Instagram that have popped up in the past few months selling masks, some of which appear to be scams and most of which aren’t vetted for safety or price concerns, according to the Washington Post.
  • NFL commissioner Roger Goodell on 4/06/2020 informed teams that they are to conduct their draft operations remotely. With a draft that is solely done online, it could be a target for professional hackers, and that has some teams worried, including Ravens coach John Harbaugh who noted his concern given recent reporting related to “Zoombombing,” according to the Baltimore Sun and Star Telegram.
  • Google is issuing a ban on the use of the Zoom teleconferencing platform for employees due to the recent security issues with the platform. Additionally, one of Zoom’s shareholders filed a class-action lawsuit against the company.
  • As the COVID-19 pandemic forces the largest-ever remote workforce it could supercharge the cybersecurity industry’s shift to cloud services, according to the Wall Street Journal.

-----------

4/7/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/7

  • Cyber actors are spoofing Zoom and other remote working tools to deploy malware, according to LookingGlass Global Intelligence Update. These fake Zoom invitations are socially engineered to target those unfamiliar with Zoom to install cryptocurrency miners, adware, and/or remote access trojans. Related, Michigan’s chief federal, state, and local law enforcement officials joined together to warn anyone who hacks into a teleconference that they can be charged with state or federal crimes.
  • NASA has experienced an exponential increase in malware attacks and a doubling of agency devices trying to access malicious sites in the past few days, the space agency’s Office of the Chief Information Officer said. Tricking people into clicking on malicious links or opening malicious email attachments remains one of the easiest ways to gain entry into enterprise networks and individual computers alike.
  • Kentucky FBI Special Agent in Charge, Robert Brown, warned about robocalls selling fake medical supplies like masks or COVID-19 tests. He also warned there are fake testing tents that offer coronavirus tests for $240 and the criminals take people’s Medicaid and Social Security information.
  • London police have seen as many as 50 scam reports a day with many related to an email asking for donations to buy “medical preparations and supplies” for the National Health Service to cope with COVID-19. Other scams purporting to be official messages from the government include texts telling people they have been fined £250 for leaving their home more than once during the lockdown, according to the Guardian.
  • Interpol has issued an alert to global police about the heightened risk of ransomware attacks on hospitals and other front-line organizations as they battle the COVID-19 pandemic.

-----------

4/6/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/6

  • Europol and Interpol on 04/06/2020 issued an alert warning about COVID-19-related cyber crime noting that with more people working at home using outdated security systems, cybercriminals are taking advantage of this situation to conduct attacks.
  • USA Today on 04/04/2020 reported a new fraud strain cyberattackers are using where they send emails that ask Amazon users to sign into their accounts to get a free bottle of hand sanitizer. Another new threat campaign targets smartphones by sending text messages which promise to track the spread of COVID-19 and ostensibly allow users to track when it’s growing in their community. By downloading the app users unknowingly give cybercriminals remote access to their phones.
  • Other recently reported cyber attacks include: cybercriminals impersonating IT help desks; hackers sending phishing emails that use terms such as “reset password” or “business continuity” to spark urgency; and attackers sending phishing emails that impersonate a company’s president to deliver an attachment disguised as tips to prevent infection. Likewise, a recently uncovered spear-phishing campaign is using fears of the COVID-19 pandemic to spread an information stealer called LokiBot, according to Bank Info Security reporting. The emails contain an attachment with a .exe file name that, if opened, plants the LokiBot in the device to capture credentials and other data.
  • Following several reports that Zoom has attracted trolls and hackers as well as scrutiny from privacy experts, Eric Yuan, chief executive of Zoom Video Communications Inc., reportedly stated that “I really messed up” on security as COVID-19 increased the video tool’s demand, according to the Wall Street Journal.
  • Russia is directing COVID-19-related disinformation at Eastern European audiences in a bid to drive anti-NATO sentiment among virus-spooked populations, according to Defence One reporting. One method it is using is hacking a legitimate news site to post a false story. Related, Russia’s state-owned telecommunications firm Rostelecom was involved in an apparent incident that hijacked the traffic for more than 200 content delivery networks and cloud hosting providers, including Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, and Digital Ocean, according to Security Affairs reporting.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/03/2020-04/06/2020. During this period, RiskIQ analyzed 262.902 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 6,835 unique subject lines observed during the reporting period. The spam emails originated from 3,887 unique sending email domains and 10,242 unique SMTP IP Addresses. Analysts identified 1,532 emails that sent an executable file for Windows machines.

-----------

4/4/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/4

  • In a financial disclosure form filed with the U.S. Securities and Exchange Commission Wednesday 04/01/2020, 10x Genomics Inc. said it experienced an attempted ransomware attack that also involved the theft of company data, according to Cyberscoop reporting. A 03/13/2020 tweet from the Israeli security firm Under the Breach reports that attackers using the REvil/Sodinokibi ransomware claimed to steal one terabyte from 10x Genomics.
  • Trend Micro recently investigated an incident involving a company that was hit by the Nefilim ransomware, which was initially discovered in March 2020.
  • Thousands of potential phishing sites have been created to target Zoom users as usage increases, according to Information Age reporting. According to the report, there have been over 3,300 new domain names created containing the word “Zoom” since the beginning of 2020. Over 30% of these new websites have activated an email server which is an indication of these sites being used to process phishing attacks.
  • Internal Revenue Service has seen a wave of new and evolving phishing schemes against taxpayers. On 04/04/2020, the IRS sent out a warning urging taxpayers to be on the lookout for calls and email phishing attempts about COVID-19 which can lead to tax-related fraud and identity theft.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/03/2020-04/04/2020. During this period, RiskIQ analyzed 223,697 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 20,779 unique subject lines observed during the reporting period. The spam emails originated from 10,536 unique sending email domains and 18,565 unique SMTP IP Addresses. Analysts identified 241 emails that sent an executable file for Windows machines.

-----------

4/3/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/3

  • Marriott International disclosed on Tuesday 03/31/2020 a new data breach that impacted 5.2 million guests, according to CNET reporting. The hotel group said information exposed may include names, addresses, emails, phone numbers and birthdays as well as loyalty account details and information like room preferences.
  • ThreatPost reporting provided details about a spoofing campaign that promises users important information about new coronavirus cases in their local area. The phishing emails don’t include specific names or greetings in the body of the messages, suggesting they are being sent out to a broad target audience.
  • A separate ThreatPost report indicates older phishing kits that were previously deployed and then retired are resurfacing and targeting people working from home. Attackers are using recycled phishing kits from as far back as July 2019 in coronavirus-based phishing attacks.
  • Security researchers are now seeing malware that either wipes everything off the computers of victims or corrupts the master boot record of Windows machines so the computer hard drive is unusable. There’s no financial gain from doing this. According to IT World Canada, victims will know they’ve been hit if a message pops up saying coronavirus has been installed.
  • Microsoft has started to send targeted notifications to dozens of hospitals about vulnerable public-facing VPN devices and gateways located on their network. As part of their tracking of various groups behind human-operated ransomware attacks, Microsoft has seen one of the operations known as REvil (Sodinokibi) targeting vulnerabilities in VPN devices and gateway appliances to breach a network, according to BleepingComputer.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/02/2020-04/03/2020. During this period, RiskIQ analyzed 222,897 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 16,097 unique subject lines observed during the reporting period. The spam emails originated from 9,190 unique sending email domains and 17,839 unique SMTP IP Addresses. Analysts identified 313 emails that sent an executable file for Windows machines.

-----------

4/2/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/2

  • Group-calling app Houseparty says rumors it's been hacked are a paid smear campaign, and the company is offering $1 million to anyone able to prove it. According to Business Insider reporting, Houseparty app users have been complaining on social media that their PayPal, Netflix, Spotify, and online-banking accounts were compromised.
  • Healthcare providers and medical facilities in the U.S. and Europe have seen a surge of ransomware attacks, according to Fortune reporting. C5, a venture capital firm stated in the Fortune report that it has seen “a number of instances where clinical labs involved in testing, or major hospitals, have suffered ransomware attacks, where all their IT systems have been knocked down.”
  • ZDNet has identified at least five malware strains, some distributed in the wild, while others appear to have been created only as tests or jokes. The common theme among all four samples is that they use a COVID-19-theme and they are geared towards destruction, rather than financial gain.
  • Cybercriminals are exploiting COVID-19 to launch cyberattacks and, according to the World Economic Forum (WEF), passwords are one of the most vulnerable targets of attacks. Getting rid of passwords can improve security, lower costs and increase usability, according to WEF.
  • Hackers working in the interests of the Iranian government have attempted to break into the personal email accounts of staff members at the World Health Organization, according to Reuters reporting. This latest effort has been ongoing since 03/02/2020 and the cyber criminals are attempting to steal passwords from WHO staff by sending malicious messages designed to mimic Google web services to their personal email accounts.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 04/01/2020-04/02/2020. During this period, RiskIQ analyzed 214,680 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 31,802 unique subject lines observed during the reporting period. The spam emails originated from 26,025 unique sending email domains and 18,994 unique SMTP IP Addresses. Analysts identified 143 emails that sent an executable file for Windows machines.

-----------

4/1/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 4/1

  • Zeus Sphinx banking Trojan recently resurfaced after a three years hiatus as part of a coronavirus-themed phishing campaign, according to BleepingComputer.
  • Cofense Phishing Defense Center (PDC) has witnessed a surge in COVID-19 phishing campaigns found in environments protected by Proofpoint and Microsoft Office 365 ATP.
  • Guardicore Labs reported that they uncovered a sustained malicious campaign dating back to May 2018 that targets Windows machines running MS-SQL servers to deploy backdoors and other kinds of malware, including multi-functional remote access tools and cryptominers.
  • Computer hackers attacked Italy's social security website, forcing it to shut down on Wednesday. The attacks occurred as people began applying for COVID-19 benefits, according to Reuters.
  • LookingGlass analyzed the security flaws previously reported about Zoom teleconferencing software. After looking at 1,689 fully qualified domain names using the Zoom name they found 534 network elements that exhibit behavior that was consistent with a vulnerable or suspicious domain. These domains are being used to steal credentials, install malware, and redirect users to potentially malicious destinations. Likewise, HackerNews reported that Zoom windows users are vulnerable to the ‘UNC path injection’ vulnerability that could let remote attackers steal login credentials. Related reporting by Business Insider found that trolls are breaking into Alcoholics Anonymous meetings held via Zoom and harassing participants with slurs and mentions of alcohol. Zoom said it was "deeply upset" to learn of the incident and encouraged users to turn on maximum security settings.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/31/2020-04/01/2020. During this period, RiskIQ analyzed 173,164 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 19,479 unique subject lines observed during the reporting period. The spam emails originated from 10,997 unique sending email domains and 15,489 unique SMTP IP Addresses. Analysts identified 518 emails which sent an executable file for Windows machines.

-----------

3/31/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/31

  • Department of Health and Human Services Office of the Inspector General (OIG)'s updated strategy for 2020 to 2025 outlines its goals to fight fraud and abuse, promote quality and safety, and advance innovation. Fighting against cybersecurity threats within the HHS and the healthcare sector is one of the newly added priorities in the OIG’s strategy, according to Bloomberg Law reporting.
  • An Interisle Consulting Group study reveals widespread problems with access to and the reliability of domain name registration data systems (WHOIS). These failures have real-life security implications, which are being seen in the current wave of cybercrime accompanying the COVID-19 pandemic.
  • RiskIQ has observed a large malware campaign originating out of an Iranian-operated IP address (see Appendix A). The campaign seeks to trick users by impersonating Dr. Gaudean Galea, the official WHO Representative in China, and asking end-users to read an attached PDF for updates regarding the novel coronavirus. The email server, 194.180.224.65, has sent over 3,500 emails containing the AgentTesla malware family in the last week alone. The emails are received from the spoofed address of galleag@who.int with a display name of "WHO Representative." RiskIQ continues to further observe and research the campaign.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/30/2020-03/31/2020. During this period, RiskIQ analyzed 217,169 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 15,692 unique subject lines observed during the reporting period. The spam emails originated from 9,592 unique sending email domains and 15,700 unique SMTP IP Addresses. Analysts identified 1,625 emails that sent an executable file for Windows machines.

-----------

3/30/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/30

  • Remote work by hospital support staff makes it harder for their IT teams to police computer systems and prevent cyberattacks, according to the Wall Street Journal. Unfortunately, Ryuk Ransomware operators continue to target hospitals even as these organizations are overwhelmed during the COVID-19, according to BleepingComputer.
  • Fireeye reported that attackers will increasingly leverage lures tailored to the new stimulus bill and related recovery efforts such as stimulus checks, unemployment compensation and small business loans. It expects future campaigns to incorporate these themes in proportion to the media’s coverage of these topics.
  • Attackers are attempting to deliver Remcos remote access tool (RAT) payloads on the systems of small businesses via phishing emails impersonating the U.S. Small Business Administration, according to BleepingComputer. Separately, BleepingComputer found another new phishing campaign that pretends to be from a local hospital telling recipients they have been exposed to COVID-19 and they need to be tested, but it's actually an effort to spread Malware.
  • US Federal Trade Commission (FTC) warned nine VoIP service providers against assisting and facilitating illegal robocalls designed to capitalize on public anxiety surrounding the COVID-19 pandemic, according to BleepingComputer.
  • Orders for laptops, servers, networking gear are being delayed for at least one-two months, according to research by We Live Security. Smaller businesses may find it even more difficult to obtain computers and related equipment, creating a self-amplifying chain of events that increasingly impacts a whole series of business issues.
  • As COVID-19 slowly spread across the globe, consumer demand for commercial virtual private network (VPN) services has soared. While helpful for allowing remote users to securely connect to corporate applications the VPNs are not immune to attack and compromise, according to Help Net Security.
  • Many European telecommunications companies are sharing mobile location data with governments to follow people’s movements after COVID-19 lockdowns, focusing on compliance with privacy rules by anonymizing the data, according to the Wall Street Journal.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/28/2020-03/30/2020. During this period, RiskIQ analyzed 439,972 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 40,099 unique subject lines observed during the reporting period. The spam emails originated from 41,839 unique sending email domains and 34,105 unique SMTP IP Addresses. Analysts identified 2,324 emails that sent an executable file for Windows machines.

-----------

3/28/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/28

  • Ryuk Ransomware operators continue to target hospitals, even as these organizations are overwhelmed during the coronavirus pandemic. (Please see RiskIQ’s intelligence report entitled, “Ransomware Attacks the Next Consequence of the Coronavirus Outbreak,” for additional information on the tools and techniques preferred by threat actors during times of regional or global crisis.)
  • New COVID-19 bitcoin scam promises victims “millions” by working from home. According to a Malwarebytes blog posting, the dubious COVID-19 bitcoin missives are sent via phishing emails.
  • According to Naked Security reporting on 03/26/2020, researchers have seen evidence that hackers are targeting home delivery food apps. The hackers use the apps in an effort to scam customers out of their personal information, including their credit card numbers.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/27/2020-03/28/2020. During this period, RiskIQ analyzed 81,823 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 9,739 unique subject lines observed during the reporting period. The spam emails originated from 11,856 unique sending email domains and 12,296 unique SMTP IP Addresses. Analysts identified 1,026 emails that sent an executable file for Windows machines.

-----------

3/27/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/27

  • There has been a steady increase in the number of COVID-19-related email attacks since January, according to security firm Barracuda Networks, but researchers observed a recent spike in this type of attack, up 667% since the end of February. According to TechRepublic reporting, between March 1 and March 23, researchers detected 467,825 spear-phishing email attacks, and 9,116 of those detections were related to COVID-19, representing about 2% of attacks.
  • According to Naked Security reporting, researchers have seen evidence that hackers are targeting home delivery food apps
  • A new COVID-19 bitcoin scam promises victims “millions” by working from home. According to a Malwarebytes blog posting, the dubious COVID-19 bitcoin missives are sent via phishing emails.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/26/2020-03/27/2020. During this period, RiskIQ analyzed 265,952 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 20,588 unique subject lines observed during the reporting period. The spam emails originated from 31,734 unique sending email domains and 24,306 unique SMTP IP Addresses. Analysts identified 163 emails that sent an executable file for Windows machines.

-----------

3/26/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/26

  • Hackers are messing with routers' Domain Name System (DNS) settings as telework surges around the world.
  • The Ginp banking Trojan is using information about people infected with coronavirus as bait to lure Android users into giving away credit card data, according to Kaspersky daily blog.
  • The threat actors behind the WordPress WP-VCD malware have started to distribute modified versions of Coronavirus plugins that inject a backdoor into a web site, according to BleepingComputer.
  • Employees are urged to turn off smart speakers while working from home during the coronavirus over fears of privacy risks. Mishcon de Reya LLP, the UK law firm, advised staff to mute or shut off listening devices like Amazon's Alexa or Google's voice assistant when they talk about client matters at home, according to UK Daily Mail reporting.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/25/2020-03/26/2020. During this period, RiskIQ analyzed 229,298 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 15,905 unique subject lines observed during the reporting period. The spam emails originated from 34,043 unique sending email domains and 24,779 unique SMTP IP Addresses. Analysts identified 699 emails which sent an executable file for Windows machines.

-----------

3/25/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/25

  • General Electric (GE) disclosed that personally identifiable information of current and former employees, as well as beneficiaries, was exposed in a security incident experienced by one of GE's service providers, according to a BleepingComputer report on 03/23/2020.
  • Hacking group targeted the World Health Organization earlier this month with an apparently unsuccessful spear-phishing campaign designed to harvest credentials as the United Nations organization was grappling with the global COVID-19 pandemic.
  • More than 50 Android apps on the Google Play Store—most of which were designed for kids—have been caught using a new trick to secretly click on ads without the knowledge of smartphone users.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/24/2020-03/25/2020. During this period, RiskIQ analyzed 181,189 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 17,051 unique subject lines observed during the reporting period. The spam emails originated from 28,661 unique sending email domains and 24,737 unique SMTP IP Addresses. Analysts identified 55 emails that sent an executable file for Windows machines.

-----------

3/24/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/24

  • Bankinfosecurity summarized the latest schemes targeting remote workers on 03/23/2020. FBI issued a warning Friday after agents reported seeing spam and phishing campaigns that use government economic stimulus checks as lures.
  • FBI warned of messages spoofing the U.S. Centers for Disease and Prevention, a tactic fraudsters used earlier
  • Forbes reported that Hammersmith Medicines Research, a British medical facility on standby to help test any COVID-19 vaccine was attacked by a ransomware group that had previously promised not to target medical organizations
  • CrowdStrike confirmed on 03/24/2020 that a U.S.-based utility company experienced a third-party data breach. Maze ransomware (CSIT-20016) breached one of the company’s suppliers, resulting in TWISTED SPIDER publicly exposing the supplier’s files—among them data belonging to the power company.
  • Bleeping Computer reported that an HHS.gov open redirect is currently being used by attackers to push malware payloads onto unsuspecting victims' systems with the help of coronavirus-themed phishing emails
  • Hong Kong iOS users have reportedly been targeted with mobile malware via local news links, according to Trend Micro reporting on 03/24/2020.
  • The European Commission urged Europe's telecom giants to share mobile data from users in order to help predict the spread of COVID-19 and determine where people's need for medical supplies is the most pressing

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/23/2020-03/24/2020. During this period, RiskIQ analyzed 204,303 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 22,747 unique subject lines observed during the reporting period. The spam emails originated from 35,529 unique sending email domains and 29,118 unique SMTP IP Addresses. Analysts identified 1,160 emails that sent an executable file for Windows machines.

-----------

3/23/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/23

  • The Department of Justice raised its first federal court action against online fraud relating to COVID-19. According to ThreatPost reporting, the website, “coronavirusmedicalkit.com,” offered to give away free vaccine kits that it claimed were manufactured by the World Health Organization. In reality, the cybercriminals first asked buyers to input their payment card information on the website in order to pay a shipping charge of $4.95. Then, they would steal that credit card and personal information.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/22/2020-03/23/2020. During this period, RiskIQ analyzed 243,881 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 38,698 unique subject lines observed during the reporting period. The spam emails originated from 40,849 unique sending email domains and 22,567 unique SMTP IP Addresses. Analysts identified 237 emails which sent an executable file for Windows machines.

-----------

3/22/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/22

  • Video chat company Zoom alerted customers to a security issue where outsiders have been hijacking group chats by taking advantage of a screen-sharing function to show lewd content. Zoom offered some ways to secure its video conference tool from “Zoombombing”: only allow the host to screen share, password protect your meetings, and lock the meeting once all participants have joined.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/21/2020-03/22/2020. During this period, RiskIQ analyzed 160,648 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 27,560 unique subject lines observed during the reporting period. The spam emails originated from 15,980 unique sending email domains and 21,070 unique SMTP IP Addresses. Analysts identified 2 emails which sent an executable file for Windows machines.

-----------

3/21/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/21

  • Sentinel Labs researchers reported yesterday that they have seen a significant number of malware campaigns, spam campaigns, and scams related to COVID-19. They have identified scams where multiple dark web sites claim to sell COVID-19 supplies (masks, sanitization and cleaning supplies) directly for bitcoin. In reality, the scammer collects the money and does not deliver anything. Other bogus sites are claiming to sell non-existent vaccines and charging victims $5,000. They also observed criminals selling COVID-19 malware/phishing ‘kits’ for less than $1,000.
  • Interpol arrested 121 individuals during an international operation, dubbed Operation Pangea XIII, aimed to counter the illegal online sale of medical supplies and medicine; more than 90 nations took part in the operation. Authorities found over 2,000 online advertisements relating to COVID-19. Interpol said in a statement it seized more than 34,000 counterfeit, unauthorized, and substandard products, including masks and antiviral medications.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/20/2020-03/21/2020. During this period, RiskIQ analyzed 193,133 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 39,760 unique subject lines observed during the reporting period. The spam emails originated from 14,127 unique sending email domains and 22,439 unique SMTP IP Addresses. Analysts identified 135 emails that sent an executable file for Windows machines.

-----------

3/20/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/20

  • FBI announced that with the “significant spike” in scams across the nation it anticipates criminals will zero in on three states with high rates of infections: WA, CA and NY.
  • Secretary of State Pompeo accused China, Russia, and Iran of carrying out disinformation campaigns related to COVID-19
  • Ongoing phishing campaign delivering emails written to appear as official messages from the Director-General of the World Health Organization (WHO). Emails actively spread HawkEye malware payloads onto the devices of unsuspecting victims.
  • US government is in active talks with Facebook, Google and a wide array of tech companies and health experts about how it can use data gleaned from Americans’ phones to combat COVID-19, including tracking whether people are maintaining a safe distance from one another. Israel and China already use similar technology to combat the spread.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/19/2020-03/20/2020. During this period, RiskIQ analyzed 202,558 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 20,387 unique subject lines observed during the reporting period. The spam emails originated from 14,232 unique sending email domains and 20,337 unique SMTP IP Addresses. Analysts identified 1,558 emails that sent an executable file for Windows machines.

-----------

3/19/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/19

  • DDoS attack on the US Department of Health and Human Services (HHS) website on Sunday is now believed to be part of a coordinated campaign
  • Russian media have deployed a “significant disinformation campaign” against the West to worsen the impact of the coronavirus, generate panic and sow distrust
  • Hackers are exploiting the COVID-19 outbreak to spread their own infections
  • Thousands of COVID-19 scams and malware sites are being created on a daily basis. RiskIQ saw more than 13.5K suspicious domains on 3/15; more than 35K domains the next day; and more than 17K domains the day after that
  • TrickBot and Emotet Trojans have started to add text from COVID-19 news stories to attempt to bypass security software using artificial intelligence and machine learning to detect malware
  • Cybercriminals continue to take advantage of the increased communication about COVID-19 by lacing mobile applications with a trojan
  • Some ransomware operators claim they will no longer target health and medical organizations
  • Federal Deposit Insurance Corporation (FDIC) issued a statement Wednesday warning about an increase in scams trying to sow distrust in the U.S. financial system
  • Federal Trade Commission (FTC) warned consumers on Wednesday about possible scams related to the US government plans to send money by check or direct deposit
  • Twitter updated its safety policy to prohibit tweets that “could place people at a higher risk of transmitting COVID-19.”

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/18/2020-03/19/2020. During this period, RiskIQ analyzed 268,382 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 20,271 unique subject lines observed during the reporting period. The spam emails originated from 14,279 unique sending email domains and 20,962 unique SMTP IP Addresses. Analysts identified 1,099 emails that sent an executable file for Windows machines.

-----------

3/18/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/18

  • Attorney General Barr prioritized prosecuting cybercriminals exploiting COVID19.
  • RiskIQ discovers top 25 phishing subject lines, COVID19 exploit tactics
  • RiskIQ identifies top subjects when used with executable attachments
  • RiskIQ pinpoints most common COVID19 SPAM origins, United States leads the list

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/17/2020-03/18/2020. During this period, RiskIQ analyzed 215,490 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 20,131 unique subject lines observed during the reporting period. The spam emails originated from 15,198 unique sending email domains and 22,425 unique SMTP IP Addresses. Analysts identified 1,232 emails that sent an executable file for Windows machines.

-----------

3/17/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report - 3/17

  • FBI issues public alert for malicious websites and apps, deception involving #COVID19 cases
  • Alert comes one day after a cyber-attack on the US Department of Health and Human Services
  • Large internet companies issue joint statement aimed to curb misinformation on #COVID19, group includes Facebook, LinkedIn, Google, Microsoft, YouTube, and Twitter among others
  • Cybercriminals exploit #COVID19 uncertainty, launch new attacks with trojan and phishing techniques

RiskIQ’s External Threats platform identified 31 URLs that appear to be malicious. The platform discovered these URLs by cross-indexing automated searches of the keywords “COVID-19” and “Coronavirus” with malware and phishing detection tools.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/13/2020-03/16/2020. During this four-day period, RiskIQ analyzed 437,887 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 54,847 unique subject lines observed during the reporting period. The spam emails originated from 32,535 unique sending email addresses and 44,165 unique SMTP IP Addresses. Analysts identified 536 emails, which sent an executable file for Windows machines.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor