How cybercriminals have exploited the coronavirus pandemic


Phishing campaigns, deceptive domains, and malicious apps are just some of the tactics that have taken advantage of the virus and its repercussions, says Check Point Research.

Security breach, system hacked alert with red broken padlock icon showing unsecure data under cyberattack, vulnerable access, compromised password, virus infection, internet network with binary code

Image: Getty Images/iStockphoto

As most people have been busy grappling with the impact of the coronavirus pandemic so too have cybercriminals been busy, but for more nefarious reasons. The spread of COVID-19 has provided fertile ground for criminals to launch different types of attacks that have exploited not just the virus but also the resulting lockdown and stay-at-home situation. A report released Wednesday by cyber threat intelligence provider Check Point Research discusses some of the different methods used by attackers looking to capitalize on the current pandemic.

SEE: Security Awareness and Training policy (TechRepublic Premium) 

In its report entitled “Cyber Attack Trends: 2020 Mid-Year Report,” Check Point described how cyberattacks have developed and trended in the wake of the coronavirus. Criminals eager to exploit the fear and interest surrounding COVID-19 have deployed phishing campaigns, fake domains, malicious apps, brute force attacks, and even ransomware.

Image: Check Point Research

The first threats involved a rise in malware attacks using social engineering with COVID-19 as their topic. In January, Check Point found that Emotet, infamous as a banking trojan, was being used in coronavirus-themed email campaigns targeting people in Japan with malicious file attachments.

Around the same time, thousands of coronavirus-related domain names were being registered. Most of these were for legitimate reasons, but many were being set up for criminal purposes, such as to sell phony COVID-19 drugs, distribute malicious apps, and act as landing pages for phishing campaigns. Scammers also started to jump on the bandwagon by selling items with “special coronavirus discounts” and offering malware-as-a-service at special prices.

Beyond garden-variety criminals looking to make a buck, sophisticated Advanced Persistent Threat (APT) groups got into the action. In one example, APT groups based in China used coronavirus-related content in malicious RTF documents in a campaign aimed at Mongolian public entities. The irony here is that while traditional espionage activities have declined due to travel restrictions and social distancing, online espionage attacks have increased.

By this point, social distancing and quarantining policies were being imposed, prompting many organizations to shift employees to remote working. But of course, that transition gave cybercriminals another area to exploit. With the use of virtual meeting and video calling apps, many hackers tried to subvert meetings in Zoom and other platforms. Others set up fake domains and created malicious apps and phishing campaigns spoofing services such as Zoom and Microsoft Teams.

On a more alarming note, hackers saw the increased use of remote desktop applications and VPNs as a tempting target. As organizations have rushed to implement Microsoft’s Remote Desktop Protocol (RDP), the proper security requirements aren’t always followed, leaving RDP accounts vulnerable. Using brute force attacks, cybercriminals try to obtain the user credentials of such accounts. If successful, they can gain access to servers and other critical systems and even take control of a network.

The healthcare industry has become more critical than ever as providers struggle to treat patients with COVID-19 and race to develop a successful vaccine. With its efforts focused on the coronavirus, this sector is particular vulnerable to cyberattack. Though some criminal groups vowed to refrain from attacking hospitals and healthcare organizations during the pandemic, the Maze ransomware group targeted Hammersmith Medicines Research, a firm that performs clinical tests for drugs and vaccines.

Other criminal campaigns have impersonated or even attacked health organizations. A series of phishing emails spoofed the WHO (World Health Organization) to convince people concerned about the virus to download malicious content or reveal their account credentials. The WHO also was hit by cyberattacks aimed at its staff and systems. Another campaign cited by Check Point impersonated pharmaceutical companies to spread ransomware in Italy.

Criminals have also exploited COVID-19 to commit fraud against businesses and government agencies. Companies that authorize emergency transactions were hit by BEC (Business Email Compromise) scams. A French pharmaceutical firm sent $7.25 million to a phony supplier claiming to offer hand sanitizer and protective masks. In other cases, cybercriminals used stolen PII (personally identifiable information) to submit fraudulent unemployment claims in the US and elsewhere.

“The global response to the pandemic has transformed and accelerated threat actors’ business-as-usual models of attacks during the first half of this year, exploiting fears around COVID-19 as cover for their activities,” Maya Horowitz, Check Point Research director of threat intelligence, said in a press release. “We have also seen major new vulnerabilities and attack vectors emerging, which threaten the security of organizations across every sector. Security experts need to be aware of these rapidly evolving threats so that they can ensure their organizations have the best level of protection possible during the rest of 2020.”

To protect yourself against coronavirus-related scams and threats, Check Point Research offers the following tips:

  • Beware of “special” offers. “An exclusive cure for coronavirus for $150” is usually not a reliable or trustworthy purchase opportunity. At this point of time there is no cure for the coronavirus and even if there was, it definitely would not be offered to you via an email.
  • Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
  • Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.
  • Make sure you do not reuse passwords between different applications and accounts.
  • Maintain effective security by updating software frequently.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see

Cybercriminals disguising as top streaming services to spread malware


Malicious actors are posing as Netflix, Hulu, and more, to launch phishing attacks, steal passwords, launch spam, and distribute viruses.

Image: IStockphoto/metamorworks

Kaspersky’s latest research identifies the top streaming services cybercriminals most use to disguise malicious files and lure vulnerable users. The report, released on Thursday, also found the specific shows on each platform that cybercriminals used to fool victims. 

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

The year 2019 was host to what the report refers to as “Streaming Wars,” or the moment when major network providers realized streaming services were the preferred method of consuming content. While services like Netflix and Hulu were already well established, other platforms like Apple TV+, Disney+, and HBO Max got in on the action. 

Streaming service usage has been bolstered in 2020 as a result of the coronavirus pandemic. Viewers stuck at home are turning to streaming platforms more than ever: Half of US states increased video streaming by 50% during quarantine, ZDNet reported. 

However, just as all popular tech trends go, the increase in streaming use has opened a new attack channel for cybercriminals. These malicious actors use the sites as disguises to distribute malware, steal passwords, spread spam, and launch phishing attacks, according to the report.

“The so-called ‘streaming wars’ have only just begun, and as the popularity of these platforms grows, so too will the attention they receive from malicious users,” said Anton Ivanov, malware analyst, in the release. 

“This is particularly true since many of the platforms are experiencing unprecedented growth as a result of stay-at-home orders and employees being forced to work from home. While users may be tempted to search for alternative methods of watching their favorite content online rather than paying for another subscription, to stay safe, the best option is always to access the platforms and their shows via official sources,” Ivanov said.

SEE: How to protect your Twitter account from being hacked (TechRepublic) 

Kaspersky researchers evaluated the cyber threat landscape across five major streaming platforms–Hulu, Disney+, Netflix, Apple TV+, and Amazon Prime Video—from January 2019 to April 2020. 

Over that time, a total of 5,577 users were exposed to threats when trying to gain entry into these platforms through unofficial means. In total, there were 23,936 attempts to infect users with a variety of threats, the report found.

Top platforms cybercriminals disguise as 

The report identified the following platforms cybercriminals used as disguises along with the number threats they were used for:

1. Netflix (5,103)

2. Hulu (256)

3. Amazon Prime (214)

4. Disney+ (28)

Netflix was used the most frequently, by far, to lure Kaspersky users into downloading various threats, either while trying to modify the application, gain access to the platform, or gather login info, according to the report. 

The most frequent threat across all attacks were different types of Trojans, which made up nearly half (47%) of all threats. Trojans allow cybercriminals to delete and block data on devices, or even interrupt the performance of the computer. 

SEE: Watch out for these subject lines in email phishing attacks (TechRepublic)

One of the Trojans distributed were Spy Trojans, which track the users’ actions on the infected device, leaving the users susceptible to having personal files or photos collected, as well as login and password information for financial accounts stolen, according to the report. 

Malware was also a popular avenue, with 6,661 Kaspersky users reportedly encountering malware when coming across account checkers when attempting to gain access to Hulu, Netflix, Amazon Prime, or Disney+. Phishing was also used by malicious actors, who most often imitated Netflix and Hulu, the report found.

The research also identified the top original content on these platforms and found the five shows that bad actors most frequently used to lure targets. 

1. The Mandalorian (Disney+)

2. Stranger Things (Netflix) 

3. The Witcher (Netflix) 

4. Sex Education (Netflix)

5. Orange is the New Black (Netflix) 

How to stay protected 

The report offered the following three recommendations for users to protect themselves against these threats. 

  • Only access streaming platforms through your own paid subscription on the official website or app from official marketplaces
  • Do not download unofficial modifications or versions of these platform applications

  • Use different, strong passwords for every account 

For more, check out Billions of passwords now available on underground forums, say security researchers on ZDNet.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see