Special Feature
Part of a ZDNet Special Feature: Coronavirus: Business and technology in a pandemic

Thousands of COVID-19 scam and malware sites are being created on a daily basis

Malware authors and fraudsters aren't letting a tragedy go to waste.

How cyber criminals are trying to exploit coronavirus fears

latest developments

Coronavirus: Business and technology in a pandemic

From cancelled conferences to disrupted supply chains, not a corner of the global economy is immune to the spread of COVID-19.

Read More

In the midst of a global coronavirus (COVID-19) pandemic, hackers are not letting a disaster go to waste and have now automated their coronavirus-related scams to industrial levels.

According to multiple reports, cybercriminals are now creating and putting out thousands of coronavirus-related websites on a daily basis.

Most of these sites are being used to host phishing attacks, distribute malware-laced files, or for financial fraud, for tricking users into paying for fake COVID-19 cures, supplements, or vaccines.

Things are now worse than ever

While some sheepish coronavirus email scam campaigns started making their presence felt online in early February, things have now reached their peak.

Malware gangs are now regularly using coronavirus email lures to trick users into downloading malware, and even state-sponsored hacking groups have jumped on the trend and adopted similar tactics. This new trend/practice has become so obvious that the UK National Cyber Security Center (NCSC) felt obliged to send out a security alert on Monday about the rise in coronavirus-related email phishing campaigns.

But as the coronavirus pandemic slowly spreads from the few countries it initially affected, the entire world is also becoming more entranced with the topic.

This gives cybercriminals more ample opportunities to trick users into either downloading and installing malware or purchasing fake products.

Over the course of the last week, several security researchers have noted a spike in the number of coronavirus-related domains, with attacks growing in conjunction with the disease's spread.

From tens a day in February, there are now thousands of new domains popping up daily, containing terms like coronavirus, covid, pandemic, virus, or vaccine.

A security researcher who goes online by the name of DustyFresh began tracking some of these domains last week. According to a list the researcher shared online, crooks have created more than 3,600 new domains that contain the "coronavirus" term between March 14 and March 18.

Some are legitimate sites, but the vast majority are domains used for online fraud, malware distribution, or obvious scams, peddling vaccines and supplements.

covid-scam.png

Coronavirus scam site

But DustyFresh only scanned for new domains containing the term coronavirus. If we extend the scan to include other terms like covid, pandemic, virus, or vaccine, the results are even bigger.

And this is what threat intelligence firm RiskIQ did last week. The company is now publishing new lists of coronavirus-related domains on a daily basis, and the numbers are absolutely staggering.

For example, RiskIQ saw more than 13,500 suspicious domains on Sunday, March 15; more than 35,000 domains the next day; and more than 17,000 domains the day after that.

ZDNet has spent the past two days looking at some of these domains, at random. While we found some legitimate sites here and there, in nine out of ten cases, we found a scam site peddling fake cures, or private sites, most likely used for malware distribution only to users with a specific referral header.

ZDNet readers can see for themselves how fast these new domains are being created thanks to this dashboard, fro, security researcher @sshell_, which aggregates RiskIQ's feed and lists domains in real-time, as they're being discovered.

covid-scams.png

Mobile users are targets as well

But the coronavirus malware and scam campaigns aren't only targeting desktop users. Mobile users are just as affected.

Lukas Stefanko, a mobile malware analyst for ESET, is also keeping track of all the coronavirus-themed malware slung at Android users on a daily basis. And there's been quite a lot, according to a living blog post the researcher is updating daily.

The most notable of all campaigns targeting Android users is a ransomware strain that locks user devices after users install a Coronavirus tracker app. Fortunately, Stefanko was able to discover a universal unlock code that lets users regain access to their smartphones without needing to pay the ransom demand.

All in all, in the coming months, malware campaigns and online fraud leveraging and focusing on the COVID-19 outbreak are expected to continue, as hackers are known to not letting a tragedy go to waste.