At the beginning of 2020, phishers began taking advantage of the pandemic and changed from their typical lures to many pandemic-associated themes for their campaigns. After one year since the COVID pandemic began, researchers at the Palo Alto Networks Unit 42 Team examined the phishing trends during the past year to study the changes in the tactics, techniques, and procedures (TTPs) of phishers and the magnitude to which COVID-19 was utilized in their phishing attacks.
The researchers assessed all phishing URLs discovered between January 2020 and February 2021 to know how many had a COVID-19 theme, utilizing particular keywords and words associated with COVID-19 and other facets of the pandemic. The researchers found 69,950 unique phishing URLs linked to COVID-19 themes, with nearly half of those URLs directly associated with COVID-19.
Phishing campaigns were quickly related to the most recent news and ideas on the coronavirus and closely mirrored the most recent pandemic developments. Right after the World Health Organization’s announcement of the pandemic in March 2020 there was a worldwide scarcity of personal protective equipment (PPE) and testing kits. Phishing campaigns started offering to give access to stocks. Government stimulus programs were subsequently introduced, and phishing campaigns were immediately employed to have baits linked to those programs. For example, the volume of phishing emails connected to COVID-19 online test kits very closely accompanied the popularity of test kit-associated queries on Google.
All through the pandemic, phishers targeted the sites of legitimate vendors of COVID-19 test kits. They gained access to the websites and uploaded phishing kits to swipe credentials. In December 2020, while the vaccine rollout commenced, campaigns used vaccine-associated lures employing domains that spoofed vaccine manufacturers like Pfizer, BioNTech, and others. The web pages of pharmaceutical companies were targeted and had phishing content added in related to vaccines. Between December 2020 and February 2021, vaccine-associated phishing scams grew by 530%.
One of the methods used by phishers to elude security programs is to utilize a two-step process on their phishing sites that necessitates the visitor to click to sign in before being provided with the phishing form – a strategy called client-side cloaking. Numerous anti-phishing solutions will go to the URL linked in an email to evaluate the content yet will just look at the landing page for phishing material. By utilizing client-side cloaking, malicious content is unlikely to be discovered.
The report shows the opportunistic character of phishers. They will quickly modify their TTPs depending on new developments and employ baits that are probable to acquire the ideal response, such as altering targets. From December 2020 to February 2021, phishing attacks directed at pharmacies and hospitals went up by 189% as phishers turned to attack healthcare workers to rob their credentials.
During the pandemic, Microsoft was the firm most hit by attackers. Over 23% of COVID-19 phishing URLS are target Microsoft credentials. Bogus Microsoft login pages were established to steal the Microsoft 365 credentials of workers at pharmaceutical companies and pharmacies. Anytime Microsoft credentials are acquired, they may be employed to access email accounts to transmit phishing emails from real pharmacy and pharma firm domains, growing the probability of those emails being delivered and acted upon by the email owners. Victim firms comprise Glenmark Pharmaceuticals in India, Junshi Biosciences in China, Pharmascience in Canada, and Walgreens in the US.
Presently, big numbers of phishing emails are connected to vaccines and as more people try to get themselves and their loved ones signed up for immunization, vaccine-associated phishing campaigns are most likely to go on.