With March 2021 marking the one-year anniversary that the World Health Organization declared COVID-19 a pandemic, an analysis shows COVID-19 vaccine-related phishing attacks rose by 530% between December 2020 to February 2021. Criminals also set up fake websites of Pfizer and BioNTech steal user credentials, it says.
Unit 42 (the Palo Alto Networks threat intelligence team), which carried out the analysis says it found that vaccine-related phishing attacks rose by 530% from December 2020 to February 2021, and phishing attacks relating to targeting pharmacies and hospitals rose by 189% during that same timeframe.
"Our analysis showed that Microsoft was the brand most targeted by attackers. For example, fake Microsoft pages were set up by attackers to steal credentials from employees at organizations such as Walgreens (US-based), Pharmascience (Canada-based), Glenmark Pharmaceuticals (India-based) and Junshi Biosciences (China-based). We found no evidence that any of these efforts were successful, but are highlighting these cases to make healthcare organizations around the globe aware of this heightened activity targeting their sector, so they can alert employees to be on guard for malicious credential-phishing sites," it added.
At various points during the COVID-19 pandemic, the team saw attackers shifting their focus from one topic to another depending on the current state of events. In the early stages of the pandemic, it says, testing kits and PPE were a significant area of focus for attackers. The focus then shifted to government stimulus and relief programs, before pivoting again to the vaccine rollout, it says adding, "As we have seen, attackers continually adapt to the newest trends. As a result, cybersecurity defences must adapt as well."
Unit42 predicts that as the vaccine rollout continues, phishing attacks related to vaccine distribution - including attacks targeting the healthcare and life sciences industries - will continue to rise worldwide.
In April 2020, the threat intelligence team had reported on a large influx of COVID-19 themed phishing attacks starting in February 2020. With March 2021 marking the one-year anniversary, it decided to revisit the phishing trends we observed in the past year.
"We found that at each step along the way, attackers have continued to change their chosen tactics to adapt to the latest pandemic trends, in hopes that maintaining a timely sense of urgency will make it more likely for victims to give up their credentials," it says.
Starting with the set of all phishing URLs detected globally between January 2020 and February 2021, Unit42 generated sets of specific keywords (or phrases) that served as indicators for each COVID-related topic, and applied keyword matching to determine which phishing URLs were related to each topic.
According to the threat intelligence team at Palo Alto Networks, individuals should continue to exercise caution when viewing any emails or websites claiming to sell any goods or services or provide any benefits related to COVID-19. If it seems too good to be true, it most likely is. Employees in the healthcare industry in particular should view links contained in any incoming emails with suspicion, especially from emails trying to convey a sense of urgency, it added.
Here are best practices suggested by Unit42 to protect from phishing attacks...
• Exercising caution when clicking on any links or attachments contained in suspicious emails, especially those relating to one’s account settings or personal information, or otherwise trying to convey a sense of urgency.
• Verifying the sender address for any suspicious emails in your inbox.
• Double-checking the URL and security certificate of each website before inputting your login credentials.
• Reporting suspected phishing attempts.
• Implementing security awareness training to improve employees’ ability to identify fraudulent emails
• Regularly backing up your organization’s data as a defence against ransomware attacks initiated via phishing emails.
• Enforcing multi-factor authentication on all business-related logins as an added layer of security.