Dark web players have seized on the chaos caused by the coronavirus pandemic to cultivate a vast range of scams that target everyone from vulnerable consumers to unprepared medical facilities.
According to a new report from global threat intelligence firm IntSights, a mixture of cybercriminals and state-sponsored actors are exploiting the confusion and fear around the COVID-19 pandemic to launch schemes that include registering domain names to run phishing campaigns, new types of malware and ransomware, intercepting traffic from the growing amount of videoconferencing, and hawking phony coronavirus products.
Charity Wright, a cyber threat analyst at IntSights, specializes in Chinese disinformation campaigns and the dark web. While she’s seen plenty of nefarious activity over the years from the dark web, she was still stunned by the amount of coronavirus-related activity the company detected.
“What we’ve seen is an exponential increase,” she said. “It’s overwhelming. It’s much more than I expected.”
As the number of coronavirus cases have surged, governments and private companies have been worried about growing amounts of disinformation and various types of fraud. Last week, an EU official criticized companies such as Google, Facebook, and Amazon for continuing to make money from advertising for various misleading claims and products.
IntSights, based in New York City, has developed a threat detection platform that uses artificial intelligence and machine learning to scour the deep and dark webs for specific keywords that can be used to alert potential targets. The deep web can be accessed from a typical web browser by someone who knows where to look, while the dark web requires someone to be using the Tor Browser.
The IntSights report scanned both the deep and dark webs, though primarily the latter. Looking through hacker forums and black markets, the company’s platform analyzed the coronavirus-related schemes being discussed and launched.
One of the biggest strategies being shared on the dark web is how to use domain names to create phishing campaigns. There has been an explosion in domain name registrations related to the coronavirus that are then used to harvest people’s emails, passwords, and personal information.
According to IntSights’ analysis, in 2019 only 190 domains containing some version of “corona” and “covid” were registered. By January, that number had jumped to 1,400, then 5,000 in February, then 38,000 in March.
In another case, IntSight researchers uncovered a malware tool created by a Russian underground vendor that masquerades as the Johns Hopkins coronavirus map. People can embed a version of the map on a website where it will pull in the actual data from the Johns Hopkins map, but meanwhile it secretly installs malware on a user’s computer to steal their information.
Dark web actors are also sharing tips on how to sell products that claim to be virus tests or vaccines. One such offering claims to sell blood and saliva from a coronavirus survivor to boost people’s immune systems. In various forums, templates and images are being shared to make it easier for others to create their own customized version of these scams.
The scammers are also targeting mobile platforms. The company detected a surge in fake mobile apps that are primarily made for Android-based phones. These apps have been found to include ransomware, trojans, and spyware.
Finally, the growth in remote work has become a rich source of information for criminals. As people have turned to collaboration and video conferencing platforms, IntSights reports a big uptick in conversations on dark web forums about tips for exploiting the various vulnerabilities.
This graph shows an increase in conversations, for instance, around how to attack Zoom:
For now, Wright and IntSights are cautioning individuals and companies to take commonsense precautions. Companies should reevaluate their threat landscape to include threats to remote working, increase monitoring of collaboration tools and endpoint security, enforce rules on use of VPNs and passwords, and take aggressive steps to educate employees.
That said, Wright predicts that the volume and variety of coronavirus-related cyber scams is only going to increase in the coming weeks.
“It’s not slowing down much right now,” Wright said. “Unfortunately, that’s because threat actors have been very successful in using them.”