As organizations get back to business, cyber criminals look for new angles to exploit

• Criminals are using COVID-19 training for employees as phishing bait
• Non coronavirus-related headline news (including ‘Black Lives Matter’) being used in phishing scams
• Weekly cyber-attacks increase 18% compared to May average
• However, Covid-19 related cyber-attacks down 24% compared to May

While coronavirus continues to have a huge impact globally, different countries and regions are at different stages of the pandemic. In the US, cases are spiking in states like Florida and Arizona. India recorded over 12,000 cases for the fifth straight day. However, in Europe and APAC, countries are reopening some business sectors as they attempt to restart their economies and return to some sort of normality.

And of course, this fragmented picture is reflected in the cyber-crime economy too. Our latest data shows that the risk of an organization being impacted by a malicious coronavirus-related website depends on whether the country it is located in has gone back to business or is still under lockdown. The graph below represents the change in the percentage of organizations impacted by malicious coronavirus-related websites in different regions in the months of May and June:

In regions such as Europe and North America, where economies are being re-started and organizations returning to work, there has been a sharp decrease in the number of organizations impacted by such malicious websites. In regions like Latin America and South Africa which are still struggling with the coronavirus outbreak, the graph indicates ongoing and increasing instances of organizations being impacted by coronavirus-related malicious attacks.

New normal, new cyber-scams

As businesses re-open, Coivd-19 continues to pose a threat so organizations are implemented testing programs and enforcing new workplace rules to prevent new infections. To prepare employees for this ‘new normal,’ many organizations have been carrying out webinars and short training courses to explain the restrictions and requirements.

Criminals are ever alert to these new opportunities, so it’s no surprise that our researchers detected cyber criminals distributing phishing emails and malicious files disguised as Covid-19 training materials. For example, the phishing email below is trying to lure the victim to sign up for a fake employee training that actually leads to a malicious website-

https://afzan\.co/wp-content/themes/1/1 (currently inactive).


Hijacking headlines

Another consequence of some countries moving to a ‘new normal’ is cyber-criminals hijacking other big breaking news events as bait for their scams.  A prime example is the ‘Black Lives Matter’ movement.  In early June, as global protests reached their peak, we discovered a malicious spam campaign related to the movement. The emails distributed the infamous Trickbot malware as a malicious doc file typically named in the format, “e-vote_form_####.doc” (#=digit).

The emails were sent with subjects such as “Give your opinion confidentially about ‘Black Lives Matter’”, “Leave a review anon about ‘Black Lives Matter’“ or “Vote anonymous about ‘Black Lives Matter’”.

When the user opens the email and clicks on the attachment this is what he or she sees:

In the background, the files contact 2 malicious urls:



There was also a previously reported malicious campaign leveraging the same topic, reported by other media.

Weekly Coronavirus Related Cyber Attacks

In our previous update, we reported a 16% increase in the number of cyber attacks in May, as compared to March and April.  Three weeks on, we have seen a further 18%  increase in weekly attacks compared to the average number in May.

That said, coronavirus-related attacks are decreasing, with an average number of  around 130,000 attacks (129,796) per week during the first week of June, a 24% decrease when compared to May’s weekly average.

New Coronavirus registered domains

In the two first weeks of June, 2,451 new coronavirus-related domains were registered. 4% of these were found malicious (91) and another 3% suspicious (66).

We also previously reported that due to the increase in unemployment, there was an increase in CV-themed cyber attacks in the US and Europe where malicious files disguised as CVs. The number of malicious files identified doubled in the last two months with one out of every 450 malicious files being a CV-related scam.

Staying protected

To stay protected against these opportunistic attacks, remember these golden rules:

  1. Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
  2. Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.
  3. Ensure you are ordering goods from an authentic source. One way to do this is NOT to click on promotional links in emails, and instead, Google your desired retailer and click the link from the Google results page.
  4. Beware of “special” offers. “An exclusive cure for coronavirus for $150” is usually not a reliable or trustworthy purchase opportunity. At this point of time there is no cure for the coronavirus and even if there was, it definitely would not be offered to you via an email.
  5. Make sure you do not reuse passwords between different applications and accounts.

Organizations should prevent zero-day attacks with end to end cyber architecture, to block deceptive phishing sites and provide alerts on password reuse in real time. Your mailboxes are the front door into your organization. Targeted phishing schemes steal $300B from businesses every month. Stop phishing schemes and business email compromise with email security