Throughout the early months of the COVID-19 pandemic, when companies and consumers were forced to adapt to remote working arrangements and adopt digital interactions with family and friends to stay connected, PhishFeed witnessed a stark rise in phishing attacks, particularly in attacks configured to show only on mobile devices. Since January 2020, PhishFeed has collected tens of thousands of phishing URLs and kits, many of which were branded with COVID-themed domains, URLs, or attack content by the responsible threat actors, as seen in Figure 1.

3-1Figure 1: Phishing Scam SMS

 

Figure 2: Top 30 Brands Targeted by COVID-Themed Phishing URLs

 

All phishing pages monitored by PhishFeed were analyzed; utilizing PhishFeed’s proprietary brand detection algorithm, PhishFeed identified the targeted brand in the majority of campaigns. Figure 2 above shows the top 30 brands targeted by threat actors that used a COVID-themed URL.

As COVID-19 restrictions began to ease globally, and brands and consumers found a “new normal” with the rise in digital technologies in their everyday lives, WMC Global observed an initial increase in new COVID-themed URLs; however, though the number of COVID-themed URLs now appears to have plateaued, PhishFeed is still detecting a number of COVID-themed URLs each day. The downward trend in unique COVID-themed URLs becomes most apparent beginning May 11, 2020 (Figure 3).

 

3.2Figure 3: Unique COVID-Themed URLs

 

 

COVID-Themed Phishing Kits

Aside from its phishing detection platform, PhishFeed also extracts phishing kits from domains, enabling WMC Global to perform deep technical analysis on any phishing threat. WMC Global analyzed multiple phishing kits deployed on separate infrastructure and drew connections between seemingly disparate phishing kits by analyzing email crossover from kit to kit. Figure 4 below shows a sample of the technical infrastructure shared within COVID-themed phishing kits.

3.3Figure 4: Shared Infrastructure of Phishing Kits

 

By utilizing its unique information sources, dedicated threat hunters, and insightful threat intelligence, WMC Global analyzes and tracks threats targeting all businesses, regardless of industry sector. Over the past five months, WMC Global has observed both the rise and now gradual decline in COVID-19 themes and lures being used in phishing attacks across all mediums—from mobile configured attacks to early detection of recently registered COVID-themed domains. WMC Global anticipates a continued decline in COVID-themed attacks and is already observing threat actors moving back to more traditional phishing lures.

 

Future Outlook

This does not mean businesses are safe against phishing attacks, and with more workers than ever now operating remotely on a global scale, security controls are being targeted by threat actors. WMC Global has discovered corporate remote work portals and internal login pages used as credential phishing pages, further exposing companies’ critical infrastructure to malicious actors.