Governments and organisations globally have been making announcements that just
a few weeks prior would have been unprecedented. As more of our lives are moving
online in an attempt to adapt to changes brought about by the Coronavirus
pandemic, many are trying out services they were previously unfamiliar with, such
as video conferencing or online grocery shopping. While others are finding
themselves with more time to pursue online hobbies such as gaming.
The combined effect of information overload and a mass of people using
unfamiliar software and services has created an environment ripe for
exploitation by cybercriminals.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly
after it was declared a pandemic by the World Health Organisation. While Netcraft continues to see
high volumes of Coronavirus-inspired fake shops, advanced fee fraud, phishing
and malware lures, this post covers some of the trends Netcraft has observed
since our previous posts
on the topic.
Recently observed Coronavirus-themed threats
Fake Government information sites and mobile malware
Many governments have set up dedicated websites offering advice and services to
support their citizens through the pandemic. Cybercriminals are taking advantage
of this by providing copy-cat sites with a malicious twist.
In one recent campaign, the cybercriminals deployed a site that poses as the UK
Government and offers “credit card refunds” for “COVID-19 support”. The
fraudulent site uses UK Government branding and collects the victim’s personal
information – including their credit card number, date of birth and telephone
In another case, cybercriminals set up a fake site which looked identical to the
Australian Government’s. But rather than providing the government’s latest
Coronavirus advice, it included a link to an Android application which claimed
to provide information on how to get tested. In reality, the mobile application
deployed Cerberus, a popular Android banking trojan, which uses overlays to steal
Phishing targeting video conferencing platforms such as Zoom
As companies transition their employees to remote working, many are making
increased use of video conferencing platforms such as Zoom. Netcraft has
observed a number of phishing attacks targeting Zoom suggesting that
cybercriminals have identified this as an opportunity.
A compromised zoom account can be used by a cybercriminal to launch further
attacks such as: Posing as an employee by sending out meeting requests which
appear to be from the company (a supermarket purchaser making an order with a
supplier, for example); enumerating employee names and contact information using Zoom’s
“Company directory” feature; gaining access to employee email accounts if the
same password is used for their Zoom account; and downloading recordings of
Netcraft has also seen a Zoom-branded Active Directory Federation phish which
may have been used in a targeted attack on Zoom employees.
Phishing sites impersonating financial institutions referencing Coronavirus
Many governments have announced unprecedented changes in legislation to help
ease the financial burden caused by the Coronavirus pandemic. Netcraft has
observed phishers taking advantage of the confusion by creating phishing sites
targeting financial institutions and including in-page lures that claim to offer
financial assistance in exchange for the victim’s personal information.
In a recent campaign, cybercriminals added a banner to a phishing site targeting
Poste Italiane. The banner stated that new COVID-19 regulations required
customers to hand over their personal information (including credentials, credit
card and account balance) and failure to do so would result in their account
being “blocked”. Anyone who takes a closer look at the message would soon
realise that “article 190.4 paragraph 3” is in no way related to Coronavirus.
Cybercriminals that target Italian banks often include references to current
events in their phishing sites. Previously we’ve seen references to the EU
Directive for Payment Services
Coronavirus crooks target online gamers
Online gaming has seen a significant increase in usage with Verizon, one of the
largest connectivity providers in the US, reporting a 102% increase in gaming
compared with a typical day.
Cybercriminals aware of this have been stepping up attacks on users of online
gaming platforms using Coronavirus-themed phishing attacks perhaps hoping to
take advantage of new players who are less familiar with how the games they’re
playing are intended to behave.
In one incident cybercriminals created a fake blog for
, a massively multiplayer online role-playing
game developed by Ankama
that has attracted over 40
million users. The fake blog, written in French, refers to “measures taken by
the French government” and offers victim’s increasing numbers of game artefacts
based on their experience. A user who falls victim to the scam is presented with
a login box that steals their credentials.
Ankama claims to protect their players from phishing attacks with Ankama Shield,
a feature that provides email-based two-factor authentication. However, this
appears to be no obstacle for the cybercriminals. The phishing site makes a
login request with the victim’s credentials which causes Ankama to send an
authentication code to the victim’s email account. The phishing site brazenly
requests the victim hand over the token to login. Once the cybercriminal has a
valid session, we expect they immediately steal the victim’s game artefacts. In
reference to “confinement”, the fraudsters even have the audacity to sign off
with the ironic statement “we want to make this cold moment as pleasant as
possible for you”.
Website defacements with Coronavirus messages
Criminals involved in a wide range of cybercrime activities are taking advantage
of the attention surrounding Coronavirus. An ISIS-inspired web defacer plastered
a series of German websites with the ISIS flag to inform visitors of the sites
that “Germans will be destroyed by the Islamic State and the Corona Virus”.
Governments and industry respond
Governments have begun to respond with legislation to tackle Coronavirus-related
cybercrime with Denmark taking some of the toughest action. Their new
introduces tougher penalties into the Danish criminal code: up to double the
penalty if the crime exploits Coronavirus and quadruple if it involves a
financial element as well. The legislation also adds provision for requiring
Danish ISPs to block fraudulent Coronavirus-related websites at the DNS level.
Meanwhile EURid, the .eu registry, has added a
for all domain
registrations which contain a Coronavirus or COVID-19 keywords to validate their
registration information and submit a “good faith” statement within seven days.