Getty Images/iStockphoto
Microsoft: COVID-19-Related Cyberattacks, Phishing in Decline
COVID-19-related cyberattacks and phishing campaigns reached their peak in March and have since leveled off. Microsoft sheds light on these attacks and how to move forward.
Cyberattacks and phishing campaigns tied to COVID-19 reached their highest levels in March, and the rate of these attacks have drastically declined in recent weeks, according to Microsoft’s Threat Protection Intelligence Team.
What’s more, the number of these COVID-19-related attacks were relatively small compared to the overall number of phishing campaigns and cyberattacks amid the pandemic months.
Throughout the crisis, researchers and federal agencies have vigilantly released insights around COVID-19 fraud and phishing attacks, as well as other cyberattacks targeting healthcare and other organizations, as hackers modified attack methods to exploit the increase in remote work.
Researchers assessed how cybercriminals attempted to exploit the pandemic and how it aligned with cyberattacks, overall, using intelligence on endpoints, email and data, identities, and apps. They found that hackers began launching these campaigns just after the World Health Organization was unsuccessfully attacked in February.
The number of attacks that followed increased 11-fold, but Microsoft noted these attacks accounted for just 2 percent of overall cybercriminal activities each month. By the end of March, every country had experienced at least on COVID-19-related attack.
Interestingly, Microsoft found that the surge in COVID-19 attacks was actually a “repurposing from known attackers using existing infrastructure and malware with new lures.” And overall, the trend of malware detections did not significantly vary during this timeframe.
However, the rate of themed attacks is still higher than in early February and will continue throughout the crisis.
“This pattern of changing lures prove to be outliers, and the vast majority of the threat landscape falls into typical phishing and identity compromise patterns,” researchers explained. “Malware campaigns, attack infrastructure, and phishing attacks all showed signs of this opportunistic behavior.”
“As we documented previously, these cybercriminals even targeted key industries and individuals working to address the outbreak,” they added, “These shifts were typical of the global threat landscape, but what was peculiar in this case was how the global nature and universal impact of the crisis made the cybercriminal’s work easier. They preyed on our concern, confusion, and desire for resolution.”
Overall, hackers are looking for the easiest way to gain access to new victims with the “biggest-risk-versus-reward payouts.” Microsoft noted that hackers do leverage zero-day flaws, but the bigger risk boils down to users being tricked into running unknown programs or malicious documents.
For example, hackers will rely on headlines to tailor lures to victims, ensuring the attacks leverage locations and geographies familiar to the intended victim. In enterprise phishing campaigns, attacks may appear to contain expected documents and ask the user to take action.
Microsoft also saw a steep increase in enterprises increasing phishing awareness and education campaigns in April, which has led to the need for hackers to adapt and increase tyhe cost of attacks.
Attacks on the US followed this global trend, with Microsoft noting these attacks reached the highest levels in mid-March when most US organizations began social-distancing measures. The attacks significantly decreased by the end of March, and by April and May, COVID-19-themed attacks leveled off to about 20,000 to 30,000 per day.
“Defender investment is best placed in cross-domain signal analysis, update deployment, and user education,” researchers concluded. “These COVID-19 themed attacks show us that the threats our users face are constant on a global scale.”
“Investments that raise the cost of attack or lower the likelihood of success are the optimal path forward,” they continued. “Focus on behaviors of attackers will be more effective than just examining indicators of compromise, which tend to be more signals in time than durable.”