Cybercriminals are using fake COVID-19 websites impersonating Pfizer and BioNTech, according to research by Palo Alto Networks. The research, authored by Lucas Hu, comes almost a year after Palo Alto Networks first reported on this behaviour. The goal was to see what COVID-19 themes attackers were looking to exploit.
The research shows how effectively attackers pivoted to keep on top of the main discussion. At the start of the pandemic, the approach was to target people looking up PPE and testing kits. As vaccine research progressed and pharmaceutical companies started trials, the focus switched to credential theft. Fake websites and phishing attacks sought to steal user credentials to gain access to vaccine and healthcare data.
The fake websites include those that pretended to be the US Federal Trade Commission, Pfizer, BioNTech and Microsoft. Many of these relied on the use of Punycode to spoof website names and appear genuine.
A timeline of attacks
Hu’s blog also breaks down each major type of attack into timelines that show when the different types of attacks took place. The various timelines show an interesting overlap between attacks and how organised many attackers were.
For example, one timeline shows how peaks in phishing attacks for test kits often came just after a peak in Google searches for the same subject. In April and October 2020, those same peaks also show that PPE and vaccine phishing attacks peaked at the same time. As Christmas approached and new lockdowns were in place, the attackers shifted focus to the ability to meet with others, government programmes and vaccines.
The attackers’ ability to respond to government programmes is also shown in attacks using the US CARES Act as a lure. As the Paycheck Protection Program (PPP) rolled out in the US, fake sites appeared to “help” businesses get funds. It led to a significant amount of fraud and payments being stolen. Peaks of activity were spotted in May, August and during the lead-up to the US elections.
It would have been interesting to see the same data for the UK. In October 2020, the National Audit Office warned of significant fraud from criminals accessing government relief funding. Since then, some arrests have been made, but none so far targeting organised cyber gangs stealing credentials.
Vaccines a particular target for cybercriminals
Unsurprisingly, phishing around vaccines surged as vaccine programmes began their roll-out. According to Hu: “With many Americans now looking for a way to sign themselves and their family members up for immunization, it should be no surprise that cybercriminals would try to use this trend to their advantage. From December 2020 to February 2021, we observed a 530% increase in vaccine-related phishing attacks.”
Other large increases around vaccines saw physicians and pharmacies targeted. Hu says that these are part of a wider set of phishing campaigns targeting healthcare. At risk here are the personal details of people seeking to be vaccinated and potential ransomware attacks to paralyse the vaccination programme. Many of these campaigns were worldwide, with Hu citing attacks in the US, Canada, India, and China.
Enterprise Times: What does this mean?
The ability of cybercriminals to launch phishing attacks to monetise disasters and main news items is well documented. A flood, famine, earthquake, plane crash, or banks’ problems are always followed by fake sites seeking to cash in. There should be, therefore, no surprise at the response of cybercriminals over the pandemic.
However, the pandemic also showed that it is not just established groups who take part in these activities. There has been a significant surge in people getting involved in cybercrime for the first time. The availability of malware as a service has helped drive a lot of this. It has meant that researchers have had to filter through a lot of poorly designed attacks to detect the more serious ones. The pandemic has also seen other major attacks against specific targets such as SolarWinds and Microsoft.
Despite this, most of these attacks can be defeated or their potential effectiveness neutered by better employee training. Better training has more effective, long-lasting effects than just relying on tools to protect systems. It also increases security across the multiple devices that employees use.