Significant Increase In Malicious Domains As Cybercriminals Take Advantage of COVID Pandemic: Interpol


    - by David Goldstein -

    There has been a significant increase in the number of malicious Newly Registered Domains (NRDs) registered with the keywords ‘COVID’ or ‘Corona’ according to an INTERPOL assessment of the impact of COVID-19 on cybercrime. The international policing organisation is reporting two-thirds of their member countries have reported a significant increase with cybercriminals aiming to take advantage of the growing number of people searching for information about COVID-19 online.

    Abusive COVID-19 domain registrations are on the rise

    The newly registered malicious domains INTERPOL has found either host data harvesting malware or are constructed to obtain personally identifiable information, approaching victims via spam campaigns through emails, SMS or cold calls.

    From February to March 2020, Palo Alto Networks, one of INTERPOL’s private partners, detected a 569 per cent growth in malicious registrations, including malware and phishing; and a 788 per cent growth in high-risk registrations, including scams, unauthorised coin mining, and domains that have evidence of association with malicious URLs. The hike in registrations followed the peak of user interest in COVID-19 related topics caught in Google Trends with a few days of delay.

    More than a third of INTERPOL’s member countries are monitoring a growing influx of newly registered domains (NRDs) with “COVID” or “Corona” key words. Similar to COVID-19 themed phishing campaigns, a high percentage of domains that claim to provide COVID-19 updates, tracking systems or statistics are used for a wide variety of malicious activities exploiting the public’s thirst for information during the pandemic.

    As of the end of March 2020, 116,357 COVID-19 NRDs were detected, out of which 2,022 were identified as malicious and 40,261 as “high-risk”. In June 2020, INTERPOL Cybercrime Directorate’s Global Malicious Domain Taskforce identified and analysed 200,000 malicious domains affecting more than 80 member countries.

    Further feedback received from law enforcement agencies highlighted that certain malicious websites have been created to mimic official public services including government portals, telecommunication companies, banks, national tax and customs authorities, etc. The trend was showcased by a member country through the exploitation of the national initiative to provide rapid financial support for the self-employed and small businesses. To receive the assistance, businesses were required to apply via an official government website. The threat actors quickly copied these websites and deployed a fake app to harvest personal user data received from the applicants.

    Security gaps open the door for criminals

    Another area of concern is the increasing number of fraudulent websites, which exploited the recent surge in demand for surgical masks, personal protective equipment, coronavirus test kits and medical ventilators to host illicit trade in these key supplies. The tactics of the websites’ owners differ and include copying a legitimate site, selling unlicensed items or counterfeit goods or taking payment for the items without delivering them. Moreover, there exists a challenge when the money paid by the victims of illegal trade is sent to overseas bank accounts, which creates difficulties in both the crime attribution and recovery of financial loss.

    Away from the domain name focus, INTERPOL’s assessment of the impact of COVID-19 on cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure.

    With organisations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption.

    In one four-month period (January to April) some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs – all related to COVID-19 – were detected by one of INTERPOL’s private sector partners.

    Cybercriminals are taking advantage of the pandemic to deploy ransomware against critical infrastructure and healthcare institutions responsible for COVID-19 response. Cloning of official government websites is increasingly occurring to steal sensitive user data, which can later be used in further cyberattacks.

    “Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.” Jürgen Stock, INTERPOL Secretary General. “The increased online dependency for people around the world, is also creating new opportunities, with many businesses and individuals not ensuring their cyber defences are up to date. “The report’s findings again underline the need for closer public-private sector cooperation if we are to effectively tackle the threat COVID-19 also poses to our cyber health,” concluded the INTERPOL Chief.