Google: Here's how phishing and malware attacks are evolving

Coronavirus-themed phishing lures are still on the rise, particularly in certain geographic locations - but most are being stopped before they reach your inbox.
Written by Danny Palmer, Senior Writer

Cyber criminals are tailoring coronavirus-related phishing and malware attacks to make them more effective at targeting victims in certain locations around the world, even as attackers continue to distribute millions of malicious spam emails every single day.

Google Cloud has detailed how the past month has seen the emergence of regional hotspots for COVID-19-related cyberattacks, with the UK, India and Brazil all seeing a rise in malware, phishing and spam campaigns looking to exploit fears over the virus.

In each case, the attacks and scams are using regionally relevant lures such as supposed government advice in an effort to reel victims in.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)  

One example targeting people in the UK masquerades as an email from the Small Business Grant fund, a government imitative to help small businesses get through coronavirus. These attacks, which often involve a malicious file or phishing link, are designed to trick the victim into giving up personal information, as well as financial details.

Other attacks are more basic, but could scare people into falling victim and Google notes that attackers do attempt to send messages that claim to to be from Google.

For example, one message that attackers are attempting to distribute uses subject lines related to coronavirus to lure users into opening the message – the email then claims they've requested to deactivate their account and to click a link within 24 hours to stop it happening. This link is designed to harvest data.

Meanwhile, campaigns targeting Brazil are preying on financial fears and the rise of streaming services, while attacks in India are focused around back-to-work and health schemes.

While attackers are sending these messages out, Google notes that 99.9% of spam campaigns claiming to be from governments or Google are automatically blocked by filters. The company said it has put proactive monitoring in place for COVID-19-related malware and phishing across its systems and workflows. In many cases, however, these threats are not new – rather, they're existing malware campaigns that have simply been updated to exploit the heightened attention on COVID-19. Google said its AI-based security systems are also able to pick up new trends and novel attacks automatically.

Sam Lugani, lead security for G Suite & Google Cloud Platform, told ZDNet that Google's security protects user accounts against incoming messages from domains that appear visually similar or use visually similar elements to established domains.

"We also leverage authentication signals, such as DMARC policies that brands have defined, as well as other security signals from Safe Browsing to determine the safety level of every email that our users receive," he added.

No new figures have been detailed, but last month Google said it was seeing 18 million malware and phishing emails a day, along with 240 million messages specifically using COVID-19 as a lure.

SEE: Cybersecurity warning: Hackers are targeting your smartphone as way into the company network

The ability to stop hundreds of millions of malicious messages even being sent via Gmail and other Google Cloud products forms part of what the company describes as a "safe-by-default" strategy that looks at signals in attachments, links, external images, and more in an effort to block new and evolving threats. 

While the vast majority of threats are detected and stopped, the sheer number of attacks – and the way they're constantly managing to avoid detection – means that inevitably some will slip through.

But there are measures users can take to help stay safe, starting with avoiding downloading files that you don't recognise and checking to see if a URL in an email looks like it could be suspicious.

Users should also turn on two-factor authentication, so if someone does manage to get hold of account credentials, there's an extra barrier to stop the account being abused.


Editorial standards