A Palo Alto Networks study reveals how cybercriminals are preying on the COVID-19 pandemic

    With the spread of the coronavirus worldwide, interest is high in related topics. Accordingly, researchers from Palo Alto Networks’ Unit 42 found an immense increase in Coronavirus-related Google searches and URLs viewed since the beginning of February. Cybercriminals are looking to profit from such trending topics, disregarding ethical concerns and, in this particular case, preying on the misfortunes of billions.

    To protect customers of Palo Alto Networks, Unit 42 researchers monitor user interest in trending topics and newly registered domain names related to these topics, as miscreants often leverage them for malicious campaigns. 

    Using Google Trends and traffic logs, researchers observed a steep increase in user interest of topics related to Coronavirus, with prominent peaks at the end of January, the end of February, and the middle of March 2020. 

    Accompanying the growth in user interest, there was a 656% increase in the average daily Coronavirus-related domain name registrations from February to March. In this timeframe, a 569% growth in malicious registrations was observed, including malware and phishing; and a 788% growth in “high-risk” registrations, including scams, unauthorized coin mining, and domains that have evidence of association with malicious URLs within the domain or utilization of bulletproof hosting. 

    As of the end of March, 116,357 Coronavirus-related newly registered domain names were identified. Out of these, 2,022 are malicious and 40,261 are “high-risk”. 

    These domains were analyzed by clustering them based on their Whois information, DNS records and screenshots (collected by automated crawlers) to detect registration campaigns. While many domains are registered to be resold for a profit, a significant fraction of them are used for both well-known malicious activities as well as for fraudulent shops selling items in short supply. 

    The traditional malice abusing Coronavirus trends includes domains hosting malware, phishing sites, fraudulent sites, malvertising, cryptomining, and Black Hat Search Engine Optimization (SEO) for improving search rankings of unethical websites. Interestingly, although many webshops that use newly registered domains try to scam users, the team detected an especially unethical cluster of domains capitalizing on users’ fear of Coronavirus to further frighten them into buying their products. Moreover, a group of Coronavirus-themed domains now serve parked pages with high-risk JavaScript that may, at anytime, start redirecting users to malicious content.


    Unfortunately, there will always be cybercriminals who will attempt to victimize people during local, national, and world events when their fears are elevated. This same type of behavior has been observed time and time again: When calamitous events occur, cybercriminals start to circle for victims. Sadly, this exploitative type of behavior is not expected to go away anytime soon. 

    Examine domain names for legitimacy

    People should be highly skeptical of any emails or newly-registered websites with COVID-19 themes, whether they claim to have information, a testing kit, or a cure. Special care should be taken to examine domain names for legitimacy and security, such as ensuring it is the legitimate domain (google[.]com vs g00gle[.]com), and that there is a lock icon to the left-hand side of the browser’s URL bar, ensuring a valid HTTPS connection. 

    Check the sender’s email address

    Similar care should be taken with any COVID-19 themed emails—a look at the sender’s email address often reveals the content is likely not legitimate, as it’s either unknown to the recipient, mis-spelled, or suspiciously long with random seeming characters. 

    Block access to newly registered domains

    To protect users from cybercriminals, Palo Alto Networks best practice recommendation for URL Filtering is to block access to the Newly Registered Domain category. However if you cannot block access to the Newly Registered Domains category, then our recommendation would be to enforce SSL decryption to these URLs for increased visibility, to block users from downloading risky file types such as PowerShells and executables, to apply a much stricter Threat Prevention policy, and increase logging when accessing Newly Registered Domains. DNS-layer protection is also recommended, as over 80% of malware uses DNS to establish C2.

    Due to the suddenness of the coronavirus outbreak, many employees are self-isolating and working from home. While organizations have always provided secure access to their employees via VPN connections, the enormous amount of employees requiring secure access is unprecedented and requires additional resources and capacity. 

    Palo Alto Networks offers Prisma Access, a cloud-delivered secure access service edge (SASE) platform that provides consistent policy enforcement and security for remote offices and mobile users, and will scale up and down as business demands evolve.

    To learn more about how Palo Alto Networks can help remote employees, check out Nir Zuk’s webcast on how to enable business continuity.

    Unit 42 is the threat intelligence arm of Palo Alto Networks, the global leader in cybersecurity. The study was authored by Janos Szurdi, Zhanhao Chen, Oleksii Starov, Adrian McCabe, and Ruian Duan.

    Related Posts