It's sad to think criminals are hard at work taking advantage of the extraordinary stress the world's population is currently experiencing. But they are. New phishing scams exploiting anxiety about COVID-19 are trending upward. Akamai's Carrier Data Science and Threat Research teams analyzing real-time worldwide DNS resolution data have listed as many as 9,000 COVID-19 related phishing urls daily over the last few weeks.
On average, there are around 400 new virus-related domains each day and the number has been growing. Most of the domains we've been tracking disappear within 24 hours, which is consistent with longevity statistics we've gathered for names used for phishing. In the past, the general trend for lifetimes for these kinds of malicious domains is that 89% last less than 24 hours, and 94% had a lifespan of less than three days.
Some of the domain names being used for these attacks contain words like "test-kits," "anti-corona-virus," "stop-corona-virus" and "corona-virus-masks" that suggest what's on offer when a user clicks. Other domain names conjoined words like "business" and "support." As part of their work, researchers use a tool that can navigate to phishing links and capture landing pages. They have observed pages in multiple languages including English, German and Arabic. As is often the case for developers of phishing exploits, mastery of language is not a strength. Some pages contain the awkward phrasing and poor grammar that characterize the craft. There are also distorted statistics and commentary about the impact of the outbreak intended to create a sense of urgency to provoke sales.
Phishing has always relied on human factors. With the world focused on a single issue, everyone's a potential target. Media outlets informed by the security community are raising awareness with explanations of what's happening and advice. We're also getting inquiries from ISPs and MNOs who are committed to helping defend their subscribers.
Bruce Van Nice is a senior product marketing manager at Akamai.