The popularity of remote conferencing services such as Zoom, WebEx, Slack and others have skyrocketed recently as millions of students, businesses and everyday people across the world are required to work and entertain from home during the pandemic. This has not gone unnoticed, cybercriminals are now exploiting the spike in usage by registering new fake domains and developing malicious executable files endeavoring to deceive people into downloading malware on their devices, related to the platforms, or harvesting their usernames and passwords.
Specifically, in the recent days, over 1,700 new ‘Zoom’ domains have been registered since the onset of the pandemic, with 25% of the domains registered in seven days alone.1 This type of attack will continue to propagate across the globe and will inevitably be mimicked by multiple groups across many of the relevant platforms. In 2009, threat actors engaged in similar phishing campaigns fraudulently impersonating the Center for Disease Control (CDC) during the H1N1 flu, luring users with news about vaccination programs.2 Similarly, in 2014 threat actors capitalized on the Ebola virus outbreak with phishing campaigns and embedded malware links.3
The old is the new, new again
Many COVID-19 email scam campaigns, some of which have been evading typical email security technologies, began in early February and the activity continues to increase across the globe. While seemingly benign for the moment, the continued heightened fear over the virus lures many users to ‘risky clicks’ in search of new information about the spread, or the purchase of goods or services to lessen the impact, or in altruistic turn donate to relief or a cure for COVID-19. This environment gives cybercriminals a plethora of avenues to download and install known malware like ‘Zeus4, Trickbot, and Emotet’5 all precursors of wider ransomware attacks through old fashioned social engineering.
While certain ransomware groups have pledged to stop attacking hospitals and other healthcare delivery organizations, but have continued to attack and affect organizations unabated,6 while others continue to disrupt healthcare operations.7 These attacks, regardless of motivation, become highly disruptive to the operations of any organization especially given the currently distributed nature of IT operations and support. Experience with ransomware attacks has shown a dwell time, or the time from the initial attack to the actual ransomware execution, to be measured in weeks or months, leaving organizations potentially waiting for the other shoe to drop.