Forcepoint: Three-Month Trend Analysis: COVID and Coronavirus-Themed Web and Email Traffic
(The blog post was originally published on April 21, 2020 by our partner, Forcepoint on their page)
Forcepoint X-Labs is the custodian of threat and behavioral intelligence at Forcepoint. In analyzing anonymized recent web and email traffic we have observed interesting trends generated by our global customer base. This analysis focused on traffic relating to keywords of “Corona” and “COVID.” We share our observations below to show how the behavior of cybercriminals and your own people have changed in response to the situation in which we all now find ourselves.
- Web and email traffic processed by our Cloud Web Security and Cloud Email Security products was analyzed to surface trends of the last 3 months (19 January 2020 to 18 April 2020 inclusive).
- We sought keywords of COVID and Corona in URLs accessed directly over the Web or embedded with an email.
- The analysis was applied to a global dataset of Forcepoint customers.
- Data was anonymized (counts only, no attribution) to protect the privacy of our customers as per our approach to “Privacy-by-Design.”
- The analysis shows that cyber criminals are opportunists seeking to piggyback on the public’s interest in COVID-19 and Coronavirus, as described recently in our Malware Author and Scammers post.
- Brand new COVID and Coronavirus-themed websites have been registered and activated for both legitimate and illegitimate means.
- Employees’ interest in COVID and Coronavirus-themed websites peaked in mid-March, correlating with the enactment of “lockdown” measures by governments around the word.
- We saw a rise in unwanted emails (malicious, spam or phishing) containing embedded URLs using the keywords of COVID or Corona from negligible values in January 2020 to over half a million blocked per day the end-of-March onwards.
- Note the dip in activity at weekends as is usual with active spam campaigns.
- An email security solution is an effective “first line of defense” against so-called blended threats (emails containing an embedded URL).
Categorization of web traffic was achieved by our Cloud Web Security solution.
Observation 1 – Legitimate web traffic
From mid-January (the start of this reporting period) through to the end of February a steady undercurrent of browsing requests to legitimate COVID or Coronavirus-themed URLs was apparent. These requests relate to so-called COVID-19 tracking sites (sites set up specifically to share data points related to the pandemic) and news websites. During the first two weeks of March 2020 a significant rise (5 million+ categorizations) was observed that may correlate with the onset of lockdown procedures enacted by global governments and a move to remote working. A steady decline in activity was observed for the following three weeks, possibly relating to so-called “news fatigue” and gradual understanding of the “new normal.” Interest peaked again last week.
See Figure 1 below:
Web traffic to clean/legitimate COVID or Coronavirus-themed URLs (3-month period)
Observation 2 – Malicious web traffic
The chart below shows a steady increase in the number of COVID or Coronavirus-themed URLs categorized by Forcepoint as malicious from 9 March to the present date, with two spikes. As explained in the Highlights above cybercriminals have seen value in generating relevant looking, albeit nefarious, domains to encourage people to click on links in emails or generated by search.
See Figure 2 below:
Web traffic to malicious COVID or Coronavirus-themed URLs (3-month period)
Observation 3 – Newly registered domains
Employees browsed to COVID or Coronavirus-themed domains that were Newly Registered only several hundred times per day for the duration of the three month period. Such domains included so-called COVID trackers and newly registered news websites.
Spikes in browsing activity to such domains occurred at multiple times in March. One example of such a spike can be explained by interest in a legitimate Indian Covid-19 tracking site that correlated with an order prescribing lockdown in the country.
Note: In the figure below, we have not made a determination of whether the domain in question was malicious or legitimate.
See Figure 3 below:
Web traffic to websites categorized as Newly Registered Websites (3-month period)
Emails identified as “clean,” “virus” or “spam” were identified as such by our Cloud Email Security solution. During peak volumes, we identified 1.5 million total COVID-related emails per day. This is the disposition our customers will see in the product’s dashboard.
Observation 4 – legitimate email traffic
Employees at organizations around the globe have been sharing, and are in receipt of, legitimate emails containing COVID or Coronavirus-themed embedded URLs. Interest in such content began to noticeably rise in mid-March hitting one million legitimate emails per day across our systems. Interest remains phenomenally high since that point in time.
See Figure 4 below:
Legitimate emails containing COVID or Coronavirus-themed embedded URLs.
Observation 5 – spam emails
Spam emails containing COVID or Coronavirus-themed embedded URLs during January and February 2020 were observed in the tens of thousands per day. Scammers ramped up activity in mid-March as they made adjustments to existing spambots. Over half a million scams per day were blocked by Forcepoint X-Labs from mid-March onwards. Notice the decline in such sends during the Easter and Passover period.
See Figure 5 below:
Spam emails that included COVID or Coronavirus-themed embedded URLs
Observation 6 – malicious email traffic
Traditionally, the number of malicious emails seen per day through Forcepoint Cloud Email Security solutions are orders of magnitude less than the number of observed spam emails. The same can be said of COVID and Coronavirus-themed malicious emails. Up until the week of 16 March the number of malicious emails containing embedded COVID and Coronavirus-themed URLs had not increased for the previous eight weeks. The week of 23 March saw the largest increase (358%) of such emails compared with the final working day of the previous week. The first week of April saw a significant decline but the number of malicious emails has increased ever since.
See Figure 6 below:
3-month trend of malicious emails with COVID or Coronavirus keyword in embedded URLs
What other active mitigation methods are being by deployed Forcepoint X-Labs?
- Forcepoint X-Labs consumes third-party feeds that cover new malware. We are adopting our usual approaches to validate and ingest those feeds as we see an uptick in COVID-specific malware now included in those feeds.
- We are subscribed to the COVID19 Cyber Threat Coalition. This feed has recently been set up by the security industry to share threat telemetry across the community. Read more about that initiative here: https://www.cyberthreatcoalition.org/
- We are working closely with our customers to increase coverage and understand novel ways that malware authors are operating with COVID and Coronavirus-themed attacks.
- Forcepoint X-Labs operates a 24/7 team that monitors our detection and adds new detection rules as appropriate.
- Indicators and trends gained from one product are used to enhance protection across the range of Forcepoint products, including behavioral analytics.
Cybercriminals have adapted to exploit the public’s interest in COVID-19 and Coronavirus. This should not come as a surprise to defenders of global organizations as we see this modus operandi on a daily basis. The email and web attack vectors remain key components in a cybercriminal’s arsenal.
In response to global events we have also seen changes in the behavior of employees within organizations around the world as they respond to mandates set by government or their own employers.