by Shashi Prakash, Chief Scientist, Bolster Inc.

Bolster Platform and submissions to CheckPhish URL scanner have revealed a huge spike in phishing sites as the COVID-19 pandemic creates a larger remote workforce.

CheckPhish.ai telemetry has detected thousands of attacks by cybercriminals with the intent of penetrating networks and stealing corporate data. These attacks use phishing web pages to intercept credentials and logins from new remote workers that may be unfamiliar with secure logins for remote working and collaboration tools, such as Microsoft Teams and Skype. With stolen network credentials, hackers can execute sensitive data-stealing attacks, malware payload deliveries or ransomware compromises.

--Visit our COVID-19 Global Online Phishing and Scam Dashboard--

Targeting Office.com

Microsoft’s Office suite of business applications has been a primary toolset of office workers for decades. After dominating the desktop over this period, Microsoft brought these tools online, allowing increased collaboration and the ability to work from anywhere on the globe with an internet connection.

With workers increasingly ordered home by employers and civic authorities in an effort to flatten the curve of COVID-19 infection, Microsoft’s online tools have become essential for the ongoing functionality and continuity for businesses today. However, many of the workers accustomed to working in the office, but now operating remotely, may be using the online versions of these applications through Office.com for the first time. Even amongst those acquainted with the desktop applications, many may be unfamiliar with security best practices for the online version of these tools.

The cybercriminal element is always attentive to trends and tendencies they can exploit. Employee unfamiliarity and a larger number of remote workers within the ocean of the internet means that the bad guys are out phishing with a renewed fervor, with counterfeit Office pages a primary means to compromise. Whether combined with email phishing campaigns, or residing on domains typo squatted to resemble official sites, history shows that lures driving unsuspecting users toward these counterfeit domains and compromise are effective. Further tilting the risk factor, workers unaccustomed to the remote environment may also be increasingly distracted by sub-optimal conditions for focused work, with up-to-the minute headlines and announcements about the virus outbreak demanding attention or a house full of kids also forced to stay home due to school closures.

With these distractions and others, many users may click to and enter credentials without a hint of suspicion, because the login pages for these tools are extremely easy to replicate.

Microsoft Outlook Phishing Scams
Legitimate Outlook login page or not?

The image of this counterfeit outlook.com site was collected on March 20, 2020 by CheckPhish.ai.

Through CheckPhish.ai, we have documented that scam sites targeting Microsoft’s cloud tools for workers are on their way to doubling, increasing 72 percent from January to March.

· From January to February, CheckPhish noted a 17 percent increase in credential-stealing sites attempting to replicate Office.com and Outlook.com

· From February to March, these spiked an additional 46 percent as criminals doubled down on the tactic as more workers went to telecommuting.

· This year alone, CheckPhish has documented tens of thousands of incidents of scam pages targeting Microsoft remote working tools and services alone.

Phishing for Collaboration and Conferencing Tools

In addition to a rapidly expanding volume of fake sites targeting Microsoft tools, we have also observed that other tools frequently used by remote workers are being targeted with increasing frequency. Phishing sites replicating remote conference tools, such as Skype, WebEx and Zoom are also proliferating rapidly, with many more currently being staged for later attacks and sequential phishing campaigns.

· Employee, team and personal video and phone conferencing service Skype has been the target of a notable increase in counterfeiting, jumping almost one-third (31 percent) from February to March.

· Researchers are tracking a growing number of scam sites targeting Zoom. Security teams are currently battling this scourge at the domain registration level, but it is only a matter of time before they are spread in the wild, beyond the current smattering of sites actively being monitored.

Other Targets of Opportunity

Given an increasing public reliance on the internet for goods and services, cybercriminals are pouncing on other website targets of opportunity.

Amazon and gaming hub Steam also entered into, or remain, within our Top Phished Brands list over the course of the first quarter.

Phishing attacks through Amazon and gaming hub Steam
Steam phishing example

CheckPhish.ai captured this image of a counterfeit Steam login on March 20, 2020.

In March, the overall number of phishing sites leapt to 235 percent of their February level, as criminals seek to target a population increasingly reliant on the web, eCommerce and remote services. CheckPhish is actively tracking close to 100,000 counterfeit sites on the internet.

Online criminals are adaptable. Since the first news of an outbreak of the novel coronavirus COVID-19, to today’s pandemic of cases and through municipal and federal responses, cybercriminals continue to adapt their attack methodology.

Cybercrime is a virus. Every day, internet predators attack what we hold dear. We believe that access to a safe internet experience should be a global human right. In a time when our way of life is targeted by a real virus, we must continue to be vigilant against the antics and ploys of criminals using the internet to do us harm.

In response to this surge in criminal phishing activities, we will be working to create and launch a COVID Phishing Command Center. Initially, we will provide an absolute count of detected phishing sites, share a live preview of the phishing URLs and we will also be sharing a blacklist of these detected URLs. Security professionals will have free access to this blacklist, allowing you and your colleagues to add these URLs into their SIEM/SOAR/security/email protection platform to immediately start protecting against future attacks using these false sites.

To those assets we will begin to add trend numbers and trend lines and a map of the geographic distribution of the scam site hosts.

We hope that by putting these anti-phishing services and tools in the right hands, we can prevent the criminal element from preying on remote workers, gamers and the general public at a time when our focus should be on fighting a real, rather than virtual, virus.