The most prolific form of cyber attack to emerge in the COVID-19 era is becoming even more targeted and difficult to defend against as the pandemic wears on, according to new research released by ProPrivacy.
Phishing campaigns continue to grow in scope and prominence rather than lose influence as more people return to work.
The study, conducted with VirusTotal and WHOIS XML, analysed more than 600,000 domains to accurately track malicious activity throughout the pandemic.
This analysis found that the number of phishing domains being registered peaked in March, yet domain registry activity remains high three months later with as many as 1,200 domains still being registered each day.
125,000 domains in total have been found to be malicious by the study – the ‘vast majority' being used for phishing purposes.
“It would be easy to look at the overall trend and conclude that phishing activity related to the pandemic has simply fizzled out, but that's not an accurate assessment,” says lead researcher Sean McGrath.
“These malicious campaigns have moved underground and are now addressing our most intimate concerns. When will my children return to school? Will I lose my job?
“It is these - truly human - questions that will fuel the 'second peak' of malicious activity. This is the next battlefront in the digital pandemic.”
Indeed, researchers noted that campaigns gradually became more targeted and potent as time wore on, evolving to take advantage of new and emerging fears held by the public.
Whereas in March, many registered domains related to terms like ‘covid' or ‘mask', months on there has been an increase in domain registrations related to unemployment, welfare benefits, and stimulus packages.
The passage of time has also provided attackers with valuable experience and insights over which campaigns work and which don't – meaning attacks are more nuanced and sophisticated than they were before.
These focused campaigns are not only more likely to succeed, but they are becoming increasingly difficult for the threat intelligence community to identify using conventional broad stroke methods, according to ProPrivacy.
As part of the research, ProPrivacy tracked all domains registrations from January 1 2020, after which each domain was checked against VirusTotal's database of more than 60 threat intelligence partners.
Once the researchers identified which domains were malicious and/or being exploited in phishing campaigns, they noted the new themes that were emerging as public sentiments and concerns changed with time.
In the course of their study, researchers also found that GoDaddy was the most abused web host, hosting a disproportionately high number of domains used for phishing activity.
The company, the largest hosting provider in the world with a 15% share of all hosted sites on the internet, hosted 37% of the 80,470 IP addresses analysed in the study.
“We see a lot of niche registrations in our typosquatting data feed files,” says an unnamed WhoisXML API researcher.
“Registrants seem to target vulnerable groups. We suspect that these domains could serve as social engineering baits and trigger emotional responses.