At the request of our customers, March 9th, RiskIQ’s team of trained intelligence analysts began compiling disparate data and intelligence related to COVID-19 into comprehensive daily reports. Each report combines major updates around COVID-19 and its impacts on cities, neighborhoods, schools, and businesses as well as essential cybercrime data that helps raise the situational awareness of both physical and cybersecurity teams.

Purpose

This intelligence will help inform the decisions of security teams, who face new requirements during these unprecedented times. Here, RiskIQ strives to provide the security community with a single source of factual reporting and informed analysis to help the security community discover unknowns about their environment and investigate threats.

4/1/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 4/1

• Zeus Sphinx banking Trojan recently resurfaced after a three years hiatus as part of a coronavirus-themed phishing campaign, according to BleepingComputer.
• Cofense Phishing Defense Center (PDC) has witnessed a surge in COVID-19 phishing campaigns found in environments protected by Proofpoint and Microsoft Office 365 ATP.
• Guardicore Labs reported that they uncovered a sustained malicious campaign dating back to May 2018 that targets Windows machines running MS-SQL servers to deploy backdoors and other kinds of malware, including multi-functional remote access tools and cryptominers.
• Computer hackers attacked Italy’s social security website, forcing it to shut down on Wednesday. The attacks occurred as people began applying for COVID-19 benefits, according to Reuters.
• LookingGlass analyzed the security flaws previously reported about Zoom teleconferencing software. After looking at 1,689 fully qualified domain names using the Zoom name they found 534 network elements that exhibit behavior that was consistent with a vulnerable or suspicious domain. These domains are being used to steal credentials, install malware, and redirect users to potentially malicious destinations. Likewise, HackerNews reported that Zoom windows users are vulnerable to the ‘UNC path injection’ vulnerability that could let remote attackers steal login credentials. Related reporting by Business Insider found that trolls are breaking into Alcoholics Anonymous meetings held via Zoom and harassing participants with slurs and mentions of alcohol. Zoom said it was “deeply upset” to learn of the incident and encouraged users to turn on maximum security settings.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/31/2020-04/01/2020. During this period, RiskIQ analyzed 173,164 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 19,479 unique subject lines observed during the reporting period. The spam emails originated from 10,997 unique sending email domains and 15,489 unique SMTP IP Addresses. Analysts identified 518 emails which sent an executable file for Windows machines.

———–

3/31/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/31

• Department of Health and Human Services Office of the Inspector General (OIG)’s updated strategy for 2020 to 2025 outlines its goals to fight fraud and abuse, promote quality and safety, and advance innovation. Fighting against cybersecurity threats within the HHS and the healthcare sector is one of the newly added priorities in the OIG’s strategy, according to Bloomberg Law reporting.
• An Interisle Consulting Group study reveals widespread problems with access to and the reliability of domain name registration data systems (WHOIS). These failures have real-life security implications, which are being seen in the current wave of cybercrime accompanying the COVID-19 pandemic.
• RiskIQ has observed a large malware campaign originating out of an Iranian-operated IP address (see Appendix A). The campaign seeks to trick users by impersonating Dr. Gaudean Galea, the official WHO Representative in China, and asking end-users to read an attached PDF for updates regarding the novel coronavirus. The email server, 194.180.224.65, has sent over 3,500 emails containing the AgentTesla malware family in the last week alone. The emails are received from the spoofed address of galleag@who.int with a display name of “WHO Representative.” RiskIQ continues to further observe and research the campaign.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/30/2020-03/31/2020. During this period, RiskIQ analyzed 217,169 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 15,692 unique subject lines observed during the reporting period. The spam emails originated from 9,592 unique sending email domains and 15,700 unique SMTP IP Addresses. Analysts identified 1,625 emails that sent an executable file for Windows machines.

———–

3/30/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/30

• Remote work by hospital support staff makes it harder for their IT teams to police computer systems and prevent cyberattacks, according to the Wall Street Journal. Unfortunately, Ryuk Ransomware operators continue to target hospitals even as these organizations are overwhelmed during the COVID-19, according to BleepingComputer.
• Fireeye reported that attackers will increasingly leverage lures tailored to the new stimulus bill and related recovery efforts such as stimulus checks, unemployment compensation and small business loans. It expects future campaigns to incorporate these themes in proportion to the media’s coverage of these topics.
• Attackers are attempting to deliver Remcos remote access tool (RAT) payloads on the systems of small businesses via phishing emails impersonating the U.S. Small Business Administration, according to BleepingComputer. Separately, BleepingComputer found another new phishing campaign that pretends to be from a local hospital telling recipients they have been exposed to COVID-19 and they need to be tested, but it’s actually an effort to spread Malware.
• US Federal Trade Commission (FTC) warned nine VoIP service providers against assisting and facilitating illegal robocalls designed to capitalize on public anxiety surrounding the COVID-19 pandemic, according to BleepingComputer.
• Orders for laptops, servers, networking gear are being delayed for at least one-two months, according to research by We Live Security. Smaller businesses may find it even more difficult to obtain computers and related equipment, creating a self-amplifying chain of events that increasingly impacts a whole series of business issues.
• As COVID-19 slowly spread across the globe, consumer demand for commercial virtual private network (VPN) services has soared. While helpful for allowing remote users to securely connect to corporate applications the VPNs are not immune to attack and compromise, according to Help Net Security.
• Many European telecommunications companies are sharing mobile location data with governments to follow people’s movements after COVID-19 lockdowns, focusing on compliance with privacy rules by anonymizing the data, according to the Wall Street Journal.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/28/2020-03/30/2020. During this period, RiskIQ analyzed 439,972 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 40,099 unique subject lines observed during the reporting period. The spam emails originated from 41,839 unique sending email domains and 34,105 unique SMTP IP Addresses. Analysts identified 2,324 emails that sent an executable file for Windows machines.

———–

3/28/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/28

• Ryuk Ransomware operators continue to target hospitals, even as these organizations are overwhelmed during the coronavirus pandemic. (Please see RiskIQ’s intelligence report entitled, “Ransomware Attacks the Next Consequence of the Coronavirus Outbreak,” for additional information on the tools and techniques preferred by threat actors during times of regional or global crisis.)
• New COVID-19 bitcoin scam promises victims “millions” by working from home. According to a Malwarebytes blog posting, the dubious COVID-19 bitcoin missives are sent via phishing emails.
• According to Naked Security reporting on 03/26/2020, researchers have seen evidence that hackers are targeting home delivery food apps. The hackers use the apps in an effort to scam customers out of their personal information, including their credit card numbers.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/27/2020-03/28/2020. During this period, RiskIQ analyzed 81,823 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 9,739 unique subject lines observed during the reporting period. The spam emails originated from 11,856 unique sending email domains and 12,296 unique SMTP IP Addresses. Analysts identified 1,026 emails that sent an executable file for Windows machines.

———–

3/27/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/27

• There has been a steady increase in the number of COVID-19-related email attacks since January, according to security firm Barracuda Networks, but researchers observed a recent spike in this type of attack, up 667% since the end of February. According to TechRepublic reporting, between March 1 and March 23, researchers detected 467,825 spear-phishing email attacks, and 9,116 of those detections were related to COVID-19, representing about 2% of attacks.
• According to Naked Security reporting, researchers have seen evidence that hackers are targeting home delivery food apps
• A new COVID-19 bitcoin scam promises victims “millions” by working from home. According to a Malwarebytes blog posting, the dubious COVID-19 bitcoin missives are sent via phishing emails.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/26/2020-03/27/2020. During this period, RiskIQ analyzed 265,952 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 20,588 unique subject lines observed during the reporting period. The spam emails originated from 31,734 unique sending email domains and 24,306 unique SMTP IP Addresses. Analysts identified 163 emails that sent an executable file for Windows machines.

———–

3/26/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/26

• Hackers are messing with routers’ Domain Name System (DNS) settings as telework surges around the world.
• The Ginp banking Trojan is using information about people infected with coronavirus as bait to lure Android users into giving away credit card data, according to Kaspersky daily blog.
• The threat actors behind the WordPress WP-VCD malware have started to distribute modified versions of Coronavirus plugins that inject a backdoor into a web site, according to BleepingComputer.
• Employees are urged to turn off smart speakers while working from home during the coronavirus over fears of privacy risks. Mishcon de Reya LLP, the UK law firm, advised staff to mute or shut off listening devices like Amazon’s Alexa or Google’s voice assistant when they talk about client matters at home, according to UK Daily Mail reporting.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/25/2020-03/26/2020. During this period, RiskIQ analyzed 229,298 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 15,905 unique subject lines observed during the reporting period. The spam emails originated from 34,043 unique sending email domains and 24,779 unique SMTP IP Addresses. Analysts identified 699 emails which sent an executable file for Windows machines.

———–

3/25/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/25

• General Electric (GE) disclosed that personally identifiable information of current and former employees, as well as beneficiaries, was exposed in a security incident experienced by one of GE’s service providers, according to a BleepingComputer report on 03/23/2020.
• Hacking group targeted the World Health Organization earlier this month with an apparently unsuccessful spear-phishing campaign designed to harvest credentials as the United Nations organization was grappling with the global COVID-19 pandemic.
• More than 50 Android apps on the Google Play Store—most of which were designed for kids—have been caught using a new trick to secretly click on ads without the knowledge of smartphone users.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/24/2020-03/25/2020. During this period, RiskIQ analyzed 181,189 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 17,051 unique subject lines observed during the reporting period. The spam emails originated from 28,661 unique sending email domains and 24,737 unique SMTP IP Addresses. Analysts identified 55 emails that sent an executable file for Windows machines.

———–

3/24/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/24

• Bankinfosecurity summarized the latest schemes targeting remote workers on 03/23/2020. FBI issued a warning Friday after agents reported seeing spam and phishing campaigns that use government economic stimulus checks as lures.
• FBI warned of messages spoofing the U.S. Centers for Disease and Prevention, a tactic fraudsters used earlier
• Forbes reported that Hammersmith Medicines Research, a British medical facility on standby to help test any COVID-19 vaccine was attacked by a ransomware group that had previously promised not to target medical organizations
• CrowdStrike confirmed on 03/24/2020 that a U.S.-based utility company experienced a third-party data breach. Maze ransomware (CSIT-20016) breached one of the company’s suppliers, resulting in TWISTED SPIDER publicly exposing the supplier’s files—among them data belonging to the power company.
• Bleeping Computer reported that an HHS.gov open redirect is currently being used by attackers to push malware payloads onto unsuspecting victims’ systems with the help of coronavirus-themed phishing emails
• Hong Kong iOS users have reportedly been targeted with mobile malware via local news links, according to Trend Micro reporting on 03/24/2020.
• The European Commission urged Europe’s telecom giants to share mobile data from users in order to help predict the spread of COVID-19 and determine where people’s need for medical supplies is the most pressing

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/23/2020-03/24/2020. During this period, RiskIQ analyzed 204,303 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 22,747 unique subject lines observed during the reporting period. The spam emails originated from 35,529 unique sending email domains and 29,118 unique SMTP IP Addresses. Analysts identified 1,160 emails that sent an executable file for Windows machines.

———–

3/23/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/23

• The Department of Justice raised its first federal court action against online fraud relating to COVID-19. According to ThreatPost reporting, the website, “coronavirusmedicalkit.com,” offered to give away free vaccine kits that it claimed were manufactured by the World Health Organization. In reality, the cybercriminals first asked buyers to input their payment card information on the website in order to pay a shipping charge of $4.95. Then, they would steal that credit card and personal information.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/22/2020-03/23/2020. During this period, RiskIQ analyzed 243,881 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 38,698 unique subject lines observed during the reporting period. The spam emails originated from 40,849 unique sending email domains and 22,567 unique SMTP IP Addresses. Analysts identified 237 emails which sent an executable file for Windows machines.

———–

3/22/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/22

• Video chat company Zoom alerted customers to a security issue where outsiders have been hijacking group chats by taking advantage of a screen-sharing function to show lewd content. Zoom offered some ways to secure its video conference tool from “Zoombombing”: only allow the host to screen share, password protect your meetings, and lock the meeting once all participants have joined.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/21/2020-03/22/2020. During this period, RiskIQ analyzed 160,648 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 27,560 unique subject lines observed during the reporting period. The spam emails originated from 15,980 unique sending email domains and 21,070 unique SMTP IP Addresses. Analysts identified 2 emails which sent an executable file for Windows machines.

———–

3/21/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/21

• Sentinel Labs researchers reported yesterday that they have seen a significant number of malware campaigns, spam campaigns, and scams related to COVID-19. They have identified scams where multiple dark web sites claim to sell COVID-19 supplies (masks, sanitization and cleaning supplies) directly for bitcoin. In reality, the scammer collects the money and does not deliver anything. Other bogus sites are claiming to sell non-existent vaccines and charging victims $5,000. They also observed criminals selling COVID-19 malware/phishing ‘kits’ for less than $1,000.
• Interpol arrested 121 individuals during an international operation, dubbed Operation Pangea XIII, aimed to counter the illegal online sale of medical supplies and medicine; more than 90 nations took part in the operation. Authorities found over 2,000 online advertisements relating to COVID-19. Interpol said in a statement it seized more than 34,000 counterfeit, unauthorized, and substandard products, including masks and antiviral medications.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/20/2020-03/21/2020. During this period, RiskIQ analyzed 193,133 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 39,760 unique subject lines observed during the reporting period. The spam emails originated from 14,127 unique sending email domains and 22,439 unique SMTP IP Addresses. Analysts identified 135 emails that sent an executable file for Windows machines.

———–

3/20/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/20

• FBI announced that with the “significant spike” in scams across the nation it anticipates criminals will zero in on three states with high rates of infections: WA, CA and NY.
• Secretary of State Pompeo accused China, Russia, and Iran of carrying out disinformation campaigns related to COVID-19
• Ongoing phishing campaign delivering emails written to appear as official messages from the Director-General of the World Health Organization (WHO). Emails actively spread HawkEye malware payloads onto the devices of unsuspecting victims.
• US government is in active talks with Facebook, Google and a wide array of tech companies and health experts about how it can use data gleaned from Americans’ phones to combat COVID-19, including tracking whether people are maintaining a safe distance from one another. Israel and China already use similar technology to combat the spread.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/19/2020-03/20/2020. During this period, RiskIQ analyzed 202,558 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 20,387 unique subject lines observed during the reporting period. The spam emails originated from 14,232 unique sending email domains and 20,337 unique SMTP IP Addresses. Analysts identified 1,558 emails that sent an executable file for Windows machines.

———–

3/19/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/19

• DDoS attack on the US Department of Health and Human Services (HHS) website on Sunday is now believed to be part of a coordinated campaign
• Russian media have deployed a “significant disinformation campaign” against the West to worsen the impact of the coronavirus, generate panic and sow distrust
• Hackers are exploiting the COVID-19 outbreak to spread their own infections
• Thousands of COVID-19 scams and malware sites are being created on a daily basis. RiskIQ saw more than 13.5K suspicious domains on 3/15; more than 35K domains the next day; and more than 17K domains the day after that
• TrickBot and Emotet Trojans have started to add text from COVID-19 news stories to attempt to bypass security software using artificial intelligence and machine learning to detect malware
• Cybercriminals continue to take advantage of the increased communication about COVID-19 by lacing mobile applications with a trojan
• Some ransomware operators claim they will no longer target health and medical organizations
• Federal Deposit Insurance Corporation (FDIC) issued a statement Wednesday warning about an increase in scams trying to sow distrust in the U.S. financial system
• Federal Trade Commission (FTC) warned consumers on Wednesday about possible scams related to the US government plans to send money by check or direct deposit
• Twitter updated its safety policy to prohibit tweets that “could place people at a higher risk of transmitting COVID-19.”

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/18/2020-03/19/2020. During this period, RiskIQ analyzed 268,382 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 20,271 unique subject lines observed during the reporting period. The spam emails originated from 14,279 unique sending email domains and 20,962 unique SMTP IP Addresses. Analysts identified 1,099 emails that sent an executable file for Windows machines.

———–

3/18/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/18

• Attorney General Barr prioritized prosecuting cybercriminals exploiting COVID19.
• RiskIQ discovers top 25 phishing subject lines, COVID19 exploit tactics
• RiskIQ identifies top subjects when used with executable attachments
• RiskIQ pinpoints most common COVID19 SPAM origins, United States leads the list

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/17/2020-03/18/2020. During this period, RiskIQ analyzed 215,490 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 20,131 unique subject lines observed during the reporting period. The spam emails originated from 15,198 unique sending email domains and 22,425 unique SMTP IP Addresses. Analysts identified 1,232 emails that sent an executable file for Windows machines.

———–

3/17/20 Digital Exploitation Highlights

Download Full RiskIQ i3 Daily Report – 3/17

• FBI issues public alert for malicious websites and apps, deception involving #COVID19 cases
• Alert comes one day after a cyber-attack on the US Department of Health and Human Services
• Large internet companies issue joint statement aimed to curb misinformation on #COVID19, group includes Facebook, LinkedIn, Google, Microsoft, YouTube, and Twitter among others
• Cybercriminals exploit #COVID19 uncertainty, launch new attacks with trojan and phishing techniques

RiskIQ’s External Threats platform identified 31 URLs that appear to be malicious. The platform discovered these URLs by cross-indexing automated searches of the keywords “COVID-19” and “Coronavirus” with malware and phishing detection tools.

COVID-19 Email Spam Statistics

RiskIQ analyzed its spam box feed for the time period of 03/13/2020-03/16/2020. During this four-day period, RiskIQ analyzed 437,887 spam emails containing either “*corona*” or “*covid*” in the subject line. There were 54,847 unique subject lines observed during the reporting period. The spam emails originated from 32,535 unique sending email addresses and 44,165 unique SMTP IP Addresses. Analysts identified 536 emails, which sent an executable file for Windows machines.