The current pandemic has shown us what humanity stands for: kindness, care, sharing, giving and all the great values that we have as a global community, especially in hard times. In these times of need, there are multiple initiatives that are being driven by individuals and organizations alike asking for help — both in kind and cash. And, as one would expect, these initiatives are being communicated digitally.
Cybercriminals, who are notorious for riding trending news and emerging issues, have been watching matters unfold and developing their attacks in context with a large variety of updates and initiatives lined with the current pandemic. As a result, IBM X-Force Research has been seeing a significant number of new malicious domains related to COVID-19 appear in the wild since late February 2020, based on Quad 9 data (Figure 1).
Figure 1: Number of new DNS record related to COVID-19, based on Quad 9 data
Phishing Campaigns on the Rise
Our digital life has never been so central, and the pandemic has accelerated the remote workplace digitization process we were going through as a society. Students of all ages are now taking more online classes, parents are working from home, shopping is now mostly done online and many restaurants are taking online orders only.
Our digital adversaries are leveraging this unique opportunity, and we can see it in the volume and speed of new threats emerging. Many of the new COVID-19-themed domains we have detected (Figure 1) represent genuine initiatives, but there is also a significant portion of domains that have been set up by criminal actors for phishing.
According to IBM X-Force Research, the number of malicious domains related to COVID-19 has grown exponentially (Figure 2) between February and March 2020. Many are phishing domains used in various campaigns, including campaigns spoofing the Centers for Disease Control and Prevention (CDC) and World Health Organization (WHO) to provide false information about a supposed vaccine, victims and face mask sales, campaigns spoofing foundations to ask for donations, campaigns sending text messages about bank account lockdowns due to COVID-19, and campaigns targeting a variety of work-from-home (WFH) tools.
Figure 2: Number of new COVID-19-related malicious domains, according to Quad 9 data
Threat Reports Rising
Correspondingly, the number of related threat reports is also increasing. Based on data collated on IBM X-Force Exchange, we see a significant spike in COVID-19-related threat reports on a week-to-week basis.
Just as a reference, as our team tracks the number of threat reports, we have not seen such a high number of cases on a single topic in the past. Since March 1 to date, we have seen a 5,000-plus percent increase in COVID-19 spam in our research. This implies that organizations and end users have to be even more vigilant in this new era, educating themselves about emerging threats and spam ploys to keep networks safe even while most staff members are not on-site.
Attack Volumes Vary Across Geographies
We also see that the countries with a broader COVID-19 outbreak tend to have more malicious activities, such as spam and phishing, related to COVID-19 threats (Figure 3). Our research data from Quad 9 shows that more than half of the malicious activity is happening in two countries: 33 percent in Spain and 23 percent in the U.S.
Figure 3: Top countries with malicious COVID-19 cyber activities, based on Quad 9 data
Unfortunately, the attack trend we are observing does not appear to be slowing down.
One way of gauging the growth in COVID-19-related attacks is to leverage findings from Quad9. Quad9 is a public DNS resolver designed to provide end users with security protections, high performance and privacy.
As we observed via Quad9 data, the number of domains blocked as related to malicious COVID-19 activity has dramatically increased starting in March 2020 (Figure 4). As you can see, the activity increased when the WHO announced the COVID-19 outbreak as a pandemic, and the number of threats was still very high as April 2020 drew to a close.
Figure 4: The number of blocks related to COVID-19 threats on Quad9
What Steps Should Organizations and End Users Consider?
With the current global pandemic, for many of us, our home has become the new office and this new reality is changing the security landscape.
New devices are connecting to high-value assets in the enterprise from home, and you are not alone on your home network. Our gaming computers, IP cameras and family are all one step away from enterprise infrastructure. Working from home is not a new thing, but the urgency and scale of working from home during this particular time are unprecedented.
Handling this new challenge requires special considerations because security is never additive. Every new solution brings new vulnerabilities, including the security solutions themselves. For instance, a new virtual private network (VPN) service for WFH employees can be a new attack surface if it does not provide multifactor authentication (MFA).
Enterprises should consider adopting Zero Trust principles so the work location doesn’t impact security. The three steps to consider implementing are as follows:
- Enterprises should help employees set up cyber hygiene at home so that every outgoing connection is protected and examined.
- Every authentication should be verified and audited if enterprise assets are involved, including accessing VPN service, online collaboration tools, cloud storage, source code management systems, etc. Essentially, organizations should ensure that the right asset is accessed by the right user under the right conditions.
- Enterprises need to gain visibility and control over company assets, including home office devices, so they can detect unusual behavior and take corrective actions.
Humankind has gone through pandemics in the past, and I am pretty certain that we will get through this as well. However, what is different from pandemics of the past is the sudden shift to a digital economy and how fast we transitioned to remote work. Adversaries are looking to use this trend to their advantage with a variety of malicious attack scenarios that aim at individuals, commerce and public sector entities alike.
From an organizational perspective, it gives us an opportunity to take a step back and look at the security posture for this new normal that we will embrace from here. We should make it more adaptable to not just the threats of today, but also for the bigger challenges of tomorrow. We have threat activity data to help us keep making informed decisions.
Learn more about how IBM Security is supporting customers at this time.
IBM Fellow, VP & CTO, IBM Security
Chief Architect of Threat Intelligence, IBM Security