sb-as logo
Story image

Phishing becoming more prolific and impregnable - report

19 Jun 2020

The most prolific form of cyber attack to emerge in the COVID-19 era is becoming even more targeted and difficult to defend against as the pandemic wears on, according to new research released by ProPrivacy.

Phishing campaigns continue to grow in scope and prominence rather than lose influence as more people return to work. 

The study, conducted with VirusTotal and WHOIS XML, analysed more than 600,000 domains to accurately track malicious activity throughout the pandemic. 

This analysis found that the number of phishing domains being registered peaked in March, yet domain registry activity remains high three months later with as many as 1,200 domains still being registered each day. 

125,000 domains in total have been found to be malicious by the study – the ‘vast majority’ being used for phishing purposes.

“It would be easy to look at the overall trend and conclude that phishing activity related to the pandemic has simply fizzled out, but that’s not an accurate assessment,” says lead researcher Sean McGrath.

“These malicious campaigns have moved underground and are now addressing our most intimate concerns. When will my children return to school? Will I lose my job? 

“It is these - truly human - questions that will fuel the 'second peak' of malicious activity. This is the next battlefront in the digital pandemic.” 

Indeed, researchers noted that campaigns gradually became more targeted and potent as time wore on, evolving to take advantage of new and emerging fears held by the public.

Whereas in March, many registered domains related to terms like ‘covid’ or ‘mask’, months on there has been an increase in domain registrations related to unemployment, welfare benefits, and stimulus packages.

The passage of time has also provided attackers with valuable experience and insights over which campaigns work and which don’t – meaning attacks are more nuanced and sophisticated than they were before.

These focused campaigns are not only more likely to succeed, but they are becoming increasingly difficult for the threat intelligence community to identify using conventional broad stroke methods, according to ProPrivacy. 

As part of the research, ProPrivacy tracked all domains registrations from January 1 2020, after which each domain was checked against VirusTotal’s database of more than 60 threat intelligence partners. 

Once the researchers identified which domains were malicious and/or being exploited in phishing campaigns, they noted the new themes that were emerging as public sentiments and concerns changed with time.

In the course of their study, researchers also found that GoDaddy was the most abused web host, hosting a disproportionately high number of domains used for phishing activity. 

The company, the largest hosting provider in the world with a 15% share of all hosted sites on the internet, hosted 37% of the 80,470 IP addresses analysed in the study.

“We see a lot of niche registrations in our typosquatting data feed files,” says an unnamed WhoisXML API researcher.

“Registrants seem to target vulnerable groups. We suspect that these domains could serve as social engineering baits and trigger emotional responses.”

Story image
Mobile devices biggest enterprise security threat - report
Businesses have left themselves vulnerable and open to cyber criminals in the rush to ensure their workforce could operate remotely during the Covid-19 pandemic.More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More
Story image
Ransomware and Microsoft Exchange attacks surging 
There are global surges in ransomware attacks alongside increases in cyber attacks targeting Microsoft Exchange Server vulnerabilities, according to Check Point Research.More
Story image
Pandemic sees organisations of all sizes and industries invest in CTI
There is opportunity for organisations to better manage their cyber-threat intelligence for greater security and threat intelligence effectiveness by adopting the right tools and processes.More
Story image
Infrastructure-as-code, and how it can secure the cloud
Bridgecrew recognised IaC early on as one of the best ways for modern teams to delegate security ownership to individual contributors while distributing it across existing frameworks within CI/CD pipelines. This attribute meant that IaC was invaluable in securing cloud-native environments.More
Story image
Gigamon & FireEye tackle security in hybrid cloud environments
The partnership is an extension to a ‘long-standing’ relationship that aims to ‘simplify, secure, and optimise hybrid cloud environments’.More