As the UK marks a significant step out of lockdown on 12 April with the further relaxation of restrictions, cyber criminals exploiting the pandemic are concentrating their efforts on exploiting interest in vaccine passports and the possibility of some international leisure travel.
Over the past 13 months, the cyber criminal underground has relentlessly taken advantage of Covid-19 in its targeting of both business and consumers through phishing and domain spoofing attacks. Popular lures have included the initial outbreak and government support programmes, later pivoting to vaccines. But now, as the pathway out of the pandemic becomes clearer, their efforts are turning to exploit the hoped-for return to normality.
This is according to researchers working at Webroot, who have released new statistics drawn from the firm’s real-time anti-phishing protection service from 1 January 2021 through 29 March, which show a 93% increase in malicious Covid-19-related domains incorporating the word “travel”.
“The length and duration of the pandemic has allowed hackers an extended opportunity to hone and craft their domains. The language used in these malicious domain names is highly reflective of current trends, and key events like travel bans introduced globally have a direct impact on how hackers create resources to trick people,” said Nick Emanuel, Webroot’s senior product director.
“For example, directly after travel bans were implemented, we saw the word ‘passport’ used in malicious domains mostly in the context of providing data on which countries were blocked – e.g. ‘Passportbancountries’ – rather than the context of preparing or enabling travel.”
Webroot’s analysis found a 79% increase in the use of the term “passport” in March versus the previous 30 rolling days, 233% versus April 2020, and 3,900% versus June 2020. It also saw a 169% increase in malicious domains using travel or holiday-related search terms such as “weekend break”, “last minute”, and “cheap” since 22 February (the date the lockdown exit roadmap was first revealed), to 29 March.
At the same time, cyber criminals now seem markedly less interested in exploiting Covid-19 testing, with the incidence of domains created using test-related keywords down nearly three-quarters since the new year.
“The decrease in terminology related to ‘testing’ and ‘testkit’ correlates with the introduction of a comprehensive school testing regime in the UK, and we believe the strong supply and ease of obtaining a test has cut down opportunities for scammers on this specific topic,” said Emanuel.
“Both examples demonstrate how cyber criminals are carefully grooming news and creating domains that will have a higher percentage of hits.
“To protect against these threats, individuals should remain vigilant in scrutinising all links they receive in emails before clicking through. This should also be underpinned by cyber security technology such as email filtering, anti-virus protection, and strong password policies.”
Meanwhile, researchers at Kaspersky said they had observed a slight uptick in levels of phishing activity coalescing around the Bafta film awards, which took place over the weekend of 10 to 11 April.
Its analysis found multiple instances of malware delivered via phishing attempts that exploited the best film nominees, The Mauritanian, Nomadland, Promising Young Woman, and The Trial of the Chicago 7, suggesting that even though Covid-19 remains top of mind for most people, cyber criminals will exploit anything going in order to gain a foothold on their target networks.