Forcepoint X-Labs is the custodian of threat and behavioral intelligence at Forcepoint. In analyzing anonymized recent web and email traffic we have observed interesting trends generated by our global customer base.
This analysis focussed on traffic relating to keywords of “Corona” and “COVID.” We share our observations below to show how the behavior of cybercriminals and your own people have changed in response to the situation in which we all now find ourselves.
Methodology
- Web and email traffic processed by our Cloud Web Security and Cloud Email Security products was analyzed to surface trends of the last 3 months (19 January 2020 to 18 April 2020 inclusive).
- We sought keywords of COVID and Corona in URLs accessed directly over the Web or embedded with an email.
- The analysis was applied to a global dataset of Forcepoint customers.
- Data was anonymized (counts only, no attribution) to protect the privacy of our customers as per our approach to “Privacy-by-Design.”
Highlights
- The analysis shows that cybercriminals are opportunists seeking to piggyback on the public’s interest in COVID-19 and Coronavirus.
- Brand new COVID and Coronavirus-themed websites have been registered and activated for both legitimate and illegitimate means.
- Employees’ interest in COVID and Coronavirus-themed websites peaked in mid-March, correlating with the enactment of “lockdown” measures by governments around the world.
- We saw a rise in unwanted emails (malicious, spam, or phishing) containing embedded URLs using the keywords of COVID or Corona from negligible values in January 2020 to over half a million blocked per day the end-of-March onwards.
- Note the dip in activity at weekends as is usual with active spam campaigns.
- An email security solution is an effective “first line of defense” against so-called blended threats (emails containing an embedded URL).
Observation 1 – Legitimate web traffic
From mid-January (the start of this reporting period) through to the end of February a steady undercurrent of browsing requests to legitimate COVID or Coronavirus-themed URLs was apparent. These requests relate to so-called COVID-19 tracking sites (sites set up specifically to share data points related to the pandemic) and news websites. During the first two weeks of March 2020 a significant rise (5 million+ categorizations) was observed that may correlate with the onset of lockdown procedures enacted by global governments and a move to remote working. A steady decline in activity was observed for the following three weeks, possibly relating to so-called “news fatigue” and gradual understanding of the “new normal.” The interest peaked again last week.
Observation 2 – Malicious web traffic
The chart below shows a steady increase in the number of COVID or Coronavirus-themed URLs categorized by Forcepoint as malicious from 9 March to the present date, with two spikes. As explained in the Highlights above cybercriminals have seen the value in generating relevant looking, albeit nefarious, domains to encourage people to click on links in emails or generated by search.
Observation 3 – Newly registered domains
Employees browsed to COVID or Coronavirus-themed domains that were Newly Registered only several hundred times per day for the duration of the three month period. Such domains included so-called COVID trackers and newly registered news websites.
Spikes in browsing activity to such domains occurred at multiple times in March. One example of such a spike can be explained by interest in a legitimate Indian Covid-19 tracking site that correlated with an order prescribing lockdown in the country.
Note: In the figure below, we have not made a determination of whether the domain in question was malicious or legitimate.
Email traffic
Emails identified as “clean,” “virus” or “spam” were identified as such by our Cloud Email Security solution. During peak volumes, we identified 1.5 million total COVID-related emails per day. This is the disposition our customers will see in the product’s dashboard.
Observation 4 – legitimate email traffic
Employees at organizations around the globe have been sharing, and are in receipt of, legitimate emails containing COVID or Coronavirus-themed embedded URLs. Interest in such content began to noticeably rise in mid-March hitting one million legitimate emails per day across our systems. Interest remains phenomenally high since that point in time.
Observation 5 – spam emails
Spam emails containing COVID or Coronavirus-themed embedded URLs during January and February 2020 were observed in the tens of thousands per day. Scammers ramped up activity in mid-March as they made adjustments to existing spambots. Over half a million scams per day were blocked by Forcepoint X-Labs from mid-March onwards. Notice the decline in such sends during the Easter and Passover period.
Observation 6 – malicious email traffic
Traditionally, the number of malicious emails seen per day through Forcepoint Cloud Email Security solutions are orders of magnitude less than the number of observed spam emails. The same can be said of COVID and Coronavirus-themed malicious emails. Up until the week of 16 March, the number of malicious emails containing embedded COVID and Coronavirus-themed URLs had not increased for the previous eight weeks. The week of 23 March saw the largest increase (358%) of such emails compared with the final working day of the previous week. The first week of April saw a significant decline but the number of malicious emails has increased ever since.
Conclusion
Cybercriminals have adapted to exploit the public’s interest in COVID-19 and Coronavirus. This should not come as a surprise to defenders of global organizations as we see this modus operandi on a daily basis. The email and web attack vectors remain key components in a cybercriminal’s arsenal.
In response to global events, we have also seen changes in the behavior of employees within organizations around the world as they respond to mandates set by the government or their own employers.
