It’s no surprise that bad actors are taking advantage of the global pandemic; if there was ever a time to target a huge captive audience, it is now. Newly formed scams and phishing campaigns are using information related to COVID-19 to trick users into handing over information and money or just bombarding them with pop-up ads.

Wandera’s threat intelligence indicates that more and more people are navigating to good and bad domains related to the Coronavirus, and we have seen phishing attacks reaching users via messaging apps including iMessage and WhatsApp, as well as social media including LinkedIn.

In this post, we will put a spotlight on one specific threat related to COVID-19 that demonstrates how attackers work. Our research shows that malicious actors are nimble, analytical, and focused on ensuring they achieve an ROI.

Backdrop: A global pandemic

As global interest in COVID-19 content grew, attackers seemed to operate with “insider knowledge” responding immediately to the demand for COVID-19 content; Wandera’s usage data indicates that these malicious actors started running focused campaigns almost at the exact same moment as usage queries to legitimate sites increased – around February 1. At this point, the growth trend in unsafe sites exceeded those associated with safe queries. After that point, the two trend lines follow one another in a steady, upward direction with random jumps in red likely showing the impact of targeted (and sometimes short-lived) campaigns on the overall pattern.

If you look at where we are now, the number of visits to known-bad COVID-19 related sites was 22 times higher at the end of March than it was at the beginning of the year. Comparatively, the number of visits to safe COVID-19 related sites has only increased 6.5 times in the same period of time. This indicates that the volume of traffic to bad sites is currently growing much faster than traffic to safe sites.

Attackers in a Pandemic: Using fail-fast techniques to developing effective social engineering attacks

Attackers operate like a start-up; they try new attacks often and see where there are early signs of success. Those things that fail are abandoned. Those things that are successful are refined. They evolve their threats much like a start-up business refines its product based on customer feedback.

We discovered many malicious domains that weren’t even properly built yet, including those with domain names related to the Coronavirus without any content at all, and some that are very clearly serving an unrelated purpose but still using ‘coronavirus’ in the domains to catch peoples’ attention.

In the images below captured by Wandera’s threat research team, we highlight just several examples of threats that appeared in the early days of the Coronavirus outbreak.

Evolving the threat: A Case Study

In the security industry, we see many poorly-designed attacks, but we also see a lot of very convincing ones too and this new wave of attacks is no exception. Whether convincing or not – this surge of malicious COVID-10 related domains is attracting potential victims.

While analyzing the surge of Coronavirus-related domains, our threat research team identified a group of domains that have similar domain names and are all linked together.

We have chosen to highlight this particular threat because we identified it early in its development; by tracking its evolution, we are able to show the progression of an attack that was observed over the period of approximately one week.

The domains included in the analysis are below:

  • coronavirus-com[.]info
  • coronavirus-update[.]info
  • coronavirus-latest-update[.]info
  • coronavirus-live-update[.]com

When we first discovered the domain coronavirus-com[.]info the reason it got our attention in the first place was obviously the domain name. Not only did it include ‘coronavirus’ but it ended with ‘-com.info’ which is a clear indicator of a malicious domain. The next thing we noticed was the surprising website content. At the time of discovery on March 24, it was hosting Beijing Casino content, with no real information on the Coronavirus.

Two days later, on March 26, the same website hosted on that same URL coronavirus-com[.]info was populated with Coronavirus-related content. It is interesting to observe how the bad actors have changed scam content that they were previously using (for another attack!) to something new to maximize visitors while minimizing effort in order to achieve their goals. They likely do this by copy-pasting website templates they have already prepared from other malicious websites.

Less than a week later, on April 1, this same URL coronavirus-com[.]info was immediately re-directing to a malware-hosting site disguised as a Flash Player update. This redirection happened in both Chrome and Safari during our testing.

Replicating the threat to maximize impact

Three domains investigated (coronavirus-update[.]info, coronavirus-latest-update[.]info, and coronavirus-live-update[.]com) all link to the now redirecting malware domain (coronavirus-com[.]info) in a prominent URL on each of their homepages (and other pages). This redirecting malware domain is clearly where the attacker is trying to lead victims who land on any one of these domains.

As we look into these three domains, it’s apparent that the attacker doesn’t want to depend on their victims making their way straight to the malware installation page, but rather, they want to maximize the damage along the way by placing various ‘traps’ such as pop-up ads on the other three domains. The ads we observed include a vague COVID-19 ad and a shark-themed bitcoin gambling game called Sharkroulette. This same game was featured in ads across all three domains.

Sharkroulette is one of the obvious connections between these domains. They all share COVID-19 related domain names, the same COVID-19 related content, the same font, but also the same ads!

During our testing, the website hosting this Sharkroullete game was secretly opening up in a new browser window in the background when our researcher clicked certain links on the other three domains. Interestingly, these certain links, when clicked, would open two new tabs in the original window, one appeared to be the legitimate destination of the link but the other was completely blank. It was when this blank tab was opened that the new Sharkroullete browser window was triggered. It’s unclear exactly what was triggering this sequence as it didn’t work every time for the same hyperlink.

Note: this image shows the new Sharkroullete window pulled to the front of the original window and minimized for the purposes of this documentation, but during testing, it appeared in the background each time as a full-screen window.

We also identified a potential phishing mechanism on a page that asks the visitor for their email in order to ‘get full access’.

When our researcher first navigated through these websites, it was clear to see they were ‘works in progress’ and changing by the day. For example, many pages link to a domain which, prior to being filled with attack-specific content, was displaying a ‘related links’ landing page linking to ads. This is known as domain parking and developers use it to earn money through ads while their domain is otherwise inactive or while content is being prepared. This particular attacker has demonstrated an affinity for domain parking ads and has customized them with coronavirus related keywords to attract traffic and squeeze as much value out of the site as possible before it is even complete.

This discovery is one of many COVID-19-related social engineering campaigns in circulation at the time of writing. It is also an example of how quickly threat-actors adapt to any current trend they can leverage in order to achieve their goals. They take shortcuts by stripping out content and replacing it, snatching up multiple domain names, and injecting invasive ads, all in order to quickly access a large audience of potential victims at just the right time.