COVID-19 phishing scams becoming more sophisticated

The project, conducted in partnership with VirusTotal (Alphabet) and WHOIS XML, analysed more than 600,000 domains to accurately track malicious activity throughout the pandemic. It found that the number of phishing domains being registered peaked in late March, but activity remains high with as many as 1,200 domains still being registered each day.

To date, the project has identified more than 125,000 domains labeled as malicious, the vast majority of which are used for phishing activity.

The researchers noticed that as the pandemic progresses, phishing campaigns are becoming more targeted and potent, taking advantage of specific fears and concerns held by the public. For example, while there has been a marked decrease in the number of domains related to terms like ‘COVID’ and ‘mask’, there has been a sharp increase in domain registrations related to unemployment, welfare benefits, and the US stimulus package.

Domain registrars have been proactive and effective in identifying generic domains related to the virus, but ProPrivacy’s research suggests that bad actors are now adopting a more nuanced approach. These focused campaigns are not only more likely to succeed, but they are becoming increasingly difficult for the threat intelligence community to identify using conventional broad stroke methods.

ProPrivacy tracked all domains registrations from January 1st, and each domain was checked against VirusTotal’s aggregated database of more than 60 threat intelligence partners. The team documented every domain labelled malicious and used a range of techniques to identify new themes that emerged throughout the pandemic.

“It would be easy to look at the overall trend and conclude that phishing activity related to the pandemic has simply fizzled out, but that’s not an accurate assessment,”

“These malicious campaigns have moved underground and are now addressing our most intimate concerns. When will my children return to school? Will I lose my job? It is these - truly human - questions that will fuel the 'second peak' of malicious activity. This is the next battlefront in the digital pandemic.” said Sean McGrath, lead researcher on the project.

According to a WhoisXML API researcher: “We see a lot of niche registrations in our typosquatting data feed files. Registrants seem to target vulnerable groups. We suspect that these domains could serve as social engineering baits and trigger emotional responses.”

The study also found that GoDaddy was the most abused web host, hosting a disproportionately high number of domains used for phishing activity. The Scottsdale-based company is the largest hosting provider in the world, hosting an estimated 15 percent of all websites. However, 37 percent of the 80,470 IP addresses analysed belonged to GoDaddy, with 3,285 resolving to the same IP address.