Peak of pandemic-related phishing traffic has passed by volume, but attackers are using increasingly focused and effective lures to steal data, study finds
UK-based privacy group ProPrivacy said large numbers of coronavirus-related malicious domain names are still being registered, at 700 to 1,200 per day.
Traffic to those sites is also down from a daily peak of 130,000 visits per day on 14 April to up to 80,000 per day, according to the group, which uses aggregated data from security researchers and domain registrars.
But while traffic figures may be declining, attacks are becoming more difficult to detect and more subtly manipulative, said Sean McGrath, lead researcher on the study.
“The reality is that malicious actors have not given up, but are now focusing their efforts in more targeted ways,” McGrath said in the study.
Phishing campaigns are focusing on users’ “intimate concerns” such as when children will go back to school or potential job losses, increasing their “potency and efficacy”, McGrath said.
“This is the next battlefront in the digital pandemic,” he wrote.
By far the most abused hosting company is GoDaddy, which has been found to be hosting “the majority” of malicious Covid-19-related sites to date.
“Given that GoDaddy is the largest hosting provider in the world, hosting more than 15 percent of all websites, it’s not surprising that the majority of activity has transpired on their infrastructure, most of which is provided by Amazon Web Services,” McGrath wrote.
GoDaddy said it had already removed Covid-19 fraud sites in response to reports and was prepared to “promptly investigate any and all reports of abuse”.
The use of such a popular hosting company makes it difficult for system administrators to block malicious IP addresses without also barring millions of legitimate sites, ProPrivacy said.
The company noted that coronavirus-related scam emails are often far more convincing than the average spam email, with correct logos and official sites included in the message body in order to gain the target’s confidence.
Emails may appear to come from authorities such as the Centers for Disease Control and Prevention (CDC) or to use “highly convincing” fraudulent sign-in pages for web-based email clients such as Microsoft Outlook.
Two of the most common themes relate to Covid-19 test results and the availability of protective equipment such as masks, McGrath said.
He advised users to treat such messages with caution and to double-check links before clicking on them.