At a time when people are searching for information related to the ongoing pandemic, we turned to our dataset of real-world usage information to assess the impact this global event was having on remote workers and the organizations with whom they work each day.

For this exercise, Wandera’s experts analyzed year-to-date queries from around the globe that were related to COVID-19. This analysis included visits to official sites that provide information on the virus, such as the WHO and CDC, as well as prominent healthcare institutions, insurance providers, and even newly registered domains that utilize keywords associated with the novel coronavirus.

Analyzing connections to legitimate sources

As can be expected, Wandera’s traffic analysis indicates a significant uptick in the volume of mobile queries to legitimate COVID-19 related domains, with traffic to these legitimate (or ‘safe’) websites peaking at 1,160% of normal volume on March 16.

  • The analysis above shows consistent patterns of usage during the week, with slight drops during the weekend when employees spend less time with work devices.
  • However, as news of the novel coronavirus increased in February, user queries began to follow a similar pattern.
  • Heading into March, Wandera observed a significant increase in queries to legitimate COVID-19 content, with a noteworthy jump on March 16.
  • At the time of this writing, usage related to “safe” domains appears to be coming down, signaling that many workers may have reached a saturation point with new information they are able/willing to process.

Analyzing connections to bad sources

While the world reacts to the news of COVID-19 and its deadly spread, malicious actors are also mobilizing, attempting to capitalize on the collective attention that is currently focused on the virus. As a result, there has been anecdotal evidence surfacing that shows an increase in the number of incidents related to social engineering, as attackers seek to prey on those impacted by the virus.

Within a matter of weeks, there were ‘click here for a cure’ or ‘get a free test’ style scams, tax refund and financial support from governments, safety information that appears to be coming from authorities such as WHO or CDC, and donations to support local communities. Some examples of these emerging scams are covered in this BBC article.

We took the same three months of real-world usage data that was used above and performed a second-level of analysis, this time looking for queries to unsafe COVID-19 related websites. Specifically, we looked at connections to sites that are hosting phishing campaigns, donation scams, and harmful malware that are targeting individuals by using coronavirus keywords and related content.

We plotted the connections to unsafe COVID-19 domains using a graph that is similar to the safe usage graph, allowing us to assess the trends that emerged from this data.

The analysis above shows that some malicious actors responded immediately to the demand for COVID-19 content and started running focused campaigns almost at the same time as usage queries to legitimate sites increased.

  • In both this plot and the previous one, there is a similar uptick in connections occurring at the end of January.
  • Towards the end of February, there is a noteworthy jump in connections that can be tied to more aggressive campaigns by bad actors.
  • At the end of March, there appears to be serious momentum for bad actors. Likely due to the number of bad domains increasing as bad actors recognize the opportunity and react by crafting more bad sites from which they can store and launch targeted campaigns that will attract an increasing number of users.

Wandera has been monitoring ongoing phishing campaigns and we have seen a shift in existing content to incorporate COVID-19 keywords. This includes new domains being registered that map (temporarily) to old content as attackers attempt to maximize the breadth of impact they have on the interested user population, but with little effort.

Analyzing growth rates of traffic to good and bad sites

We plotted the two trend lines on the same graph in order to see how the growth rates of traffic to both safe and malicious sites compares across the 3-month period.

We found the number of visits to known-bad sites was 22 times higher at the end of March than it was at the beginning of the year. Comparatively, the number of visits to safe sites has only increased 6.5 times in the same period of time. This indicates that the volume of traffic to bad sites is currently growing much faster than traffic to safe sites.

The analysis above marks some important milestones for our researchers:

  • On February 1, the growth trend in unsafe sites exceeded those associated with safe queries. After that point, the two trend lines follow one another in a steady upward direction with random jumps in red likely showing the impact of targeted (and sometimes short-lived) campaigns on the overall pattern.
  • Feb 23 is where you start to see the traffic to bad sites really gain momentum suggesting more and more effective campaigns are being launched at this time and the trend lines both continue in an upward direction but with the unsafe queries taking a more rapidly increasing arc.
  • On March 18, we hit an inflection point where individuals reach their ‘saturation point’ with legitimate information and (for a variety of reasons) started navigating more to malicious content.
  • Mar 22 represents the most significant spike in unsafe query trends that we have seen yet (though this may not be the last).

How bad is this going to get?

Based on the trends we see here, we expect the volume of traffic to known-bad COVID-19 related sites will continue climbing as bad actors tap into new waves of interest in various news angles, such as the effects on the job market or information on financial support programs. With so many implications to discuss and so many concerned citizens looking for information, bad actors will get crafty in order to continue attracting information-seekers to their malicious sites.

Phishing, scams and other malicious websites are not a new phenomenon. In March, we saw 4 times as many connections to general phishing sites as connections to unsafe COVID domains. So although many malicious domains are using the coronavirus to lure victims in, everyday phishing hasn’t slowed down and still remains the number 1 threat to mobile users.