sb-eu logo
Story image

Phishing becoming more prolific and impregnable - report

19 Jun 2020

The most prolific form of cyber attack to emerge in the COVID-19 era is becoming even more targeted and difficult to defend against as the pandemic wears on, according to new research released by ProPrivacy.

Phishing campaigns continue to grow in scope and prominence rather than lose influence as more people return to work. 

The study, conducted with VirusTotal and WHOIS XML, analysed more than 600,000 domains to accurately track malicious activity throughout the pandemic. 

This analysis found that the number of phishing domains being registered peaked in March, yet domain registry activity remains high three months later with as many as 1,200 domains still being registered each day. 

125,000 domains in total have been found to be malicious by the study – the ‘vast majority’ being used for phishing purposes.

“It would be easy to look at the overall trend and conclude that phishing activity related to the pandemic has simply fizzled out, but that’s not an accurate assessment,” says lead researcher Sean McGrath.

“These malicious campaigns have moved underground and are now addressing our most intimate concerns. When will my children return to school? Will I lose my job? 

“It is these - truly human - questions that will fuel the 'second peak' of malicious activity. This is the next battlefront in the digital pandemic.” 

Indeed, researchers noted that campaigns gradually became more targeted and potent as time wore on, evolving to take advantage of new and emerging fears held by the public.

Whereas in March, many registered domains related to terms like ‘covid’ or ‘mask’, months on there has been an increase in domain registrations related to unemployment, welfare benefits, and stimulus packages.

The passage of time has also provided attackers with valuable experience and insights over which campaigns work and which don’t – meaning attacks are more nuanced and sophisticated than they were before.

These focused campaigns are not only more likely to succeed, but they are becoming increasingly difficult for the threat intelligence community to identify using conventional broad stroke methods, according to ProPrivacy. 

As part of the research, ProPrivacy tracked all domains registrations from January 1 2020, after which each domain was checked against VirusTotal’s database of more than 60 threat intelligence partners. 

Once the researchers identified which domains were malicious and/or being exploited in phishing campaigns, they noted the new themes that were emerging as public sentiments and concerns changed with time.

In the course of their study, researchers also found that GoDaddy was the most abused web host, hosting a disproportionately high number of domains used for phishing activity. 

The company, the largest hosting provider in the world with a 15% share of all hosted sites on the internet, hosted 37% of the 80,470 IP addresses analysed in the study.

“We see a lot of niche registrations in our typosquatting data feed files,” says an unnamed WhoisXML API researcher.

“Registrants seem to target vulnerable groups. We suspect that these domains could serve as social engineering baits and trigger emotional responses.”

Story image
Jamf extends Microsoft collaboration with iOS Device Compliance
Organisations will soon be able to use Jamf for Apple ecosystem management while using Azure Active Directory and Microsoft Endpoint manager to maintain conditional access.More
Story image
Radware issues security alert, warning of global rise of DDoS-for-hire
Efforts from corporations, law enforcement and independent researchers around the world have attempted in the last two years to curb this growth – but the industry keeps growing says Radware information security researcher Daniel Smith.More
Story image
Cryptomining trojan malware discovered by ESET researchers
The malware, primarily targeting victims in Czechia and Slovakia, prioritises subterfuge through deployment of multiple techniques to avoid detection, and leans heavily on the Tor network and BitTorrent protocol to achieve its goals.More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More
Story image
D-Link unveils new AI-powered cameras
The two new intelligent camera solutions offer advanced artificial intelligence, see-in-the-dark capability and improved interoperability.More
Story image
Proofpoint and CyberArk extend partnership to further safeguard high-risk users
“Our CyberArk partnership extension provides security teams with increased detection and enhanced adaptive controls to help prevent today’s most severe threats."More