A security firm is claiming to have seen a staggering 30,000% increase since January in detected phishing, malicious websites and malware designed to capitalize on the COVID-19 crisis.
Zscaler VP of security research, Deepen Desai, revealed in a blog post that the firm’s cloud security platform had stopped 380,000 attacks targeting home workers in March, up from just 1200 at the start of the year.
This included the registration of 130,000 new suspicious domains featuring COVID-related keywords such as “test,” “mask,” “Wuhan” and “kit.”
The firm recorded a 25% increase in the number of malicious files and websites it blocked and an 85% increase in phishing attacks targeting remote workers over the three-month period.
These included spear-phishing attempts spoofed to appear as if sent by the IT or payroll department, and some that even used a CAPTCHA screen to try and fool security filters.
Others targeted consumers with government-themed phishing attempts designed to trick those looking to secure stimulus funds.
Fake VPN software, COVID-themed mobile malware and even Nigerian 419 scams were also spotted by the Zscaler team, Desai said.
The security vendor has detected Magecart attacks targeting healthcare, pharmacy and grocery sites, the latter often hastily designed to support a surge in online orders, but without adequate protection.
Desai urged remote working employees and IT teams not to open links or attachments in unsolicited mail, to enable two-factor authentication, patch regularly and only stick to reputable sources for COVID-19 information.
“Each user in every organization must develop a heightened state of awareness, as cyber-criminals will continue to use the current global crisis as an opportunity to target and compromise end-user systems,” he concluded.
“If users are unsure about something they see online or receive in their inbox or SMS, they should be instructed to reach out to IT security teams for help.”
Despite the large increase in threats using COVID-19 themes, overall cybercrime has not increased, according to the UK’s National Cyber Security Centre (NCSC) and tech giants Microsoft and Google.