Heimdall News: Corona, Phishing Mails and Domain Abuse

The coronavirus is still an integral part of our everyday life. Contrary to the hopes of many people the threat situation will be existent after 2020. Financial hardship as well as restrictions on our everyday life, from the obligation to wear masks to the ban on accomodation to the death of cultural life will also shape the year 2021.

Emotional people are faster at clicking dangerous phishing links

This is accompanied by a noticeable dissatisfaction in the population, which sometimes causes annoyed shrugs, sometimes a literally unhealthy tendency to adopt conspiracy theories. To a certain degree this is understandable, because with the amount of information circulating, the uncertainty is great. Unfortunately there is also a lot of false information circulating, so it is not surprising that cyber criminals also try to take advantage of the tense and emotionalised situation and get potential victims to click rashly.

With the help of the Heimdall service, the NoSpamProxy experts have been collecting metadata of the email traffic of participating NoSpamProxy customers for over a year. The Heimdall service already offers all NoSpamProxy beta participants proactive protection against phishing emails. Although the collected data consists only of essential metadata, it can be used to derive interesting insights into the threat situation and the methods used by cybercriminals to exploit the coronavirus situation for their own purposes.

Phishing links as attack vector

Phishing links are among the most important attack vectors for cybercriminals. In order to increase the probability of these malicious links being clicked, attackers like to rely on current trends when choosing the domains they use. Currently, the thematic field of Covid-19 is extremely popular here. A frequently used strategy here is to register domains that contain corona-related terms.

An investigation of the Heimdall data regarding domains from the Covid-19 complex of topics provides interesting results. Let us first look at all domains reported to Heimdall that contain at least one of the four words corona, mask(s), virus, or covid. The following figure shows the sightings of domains with these keywords over time.

blank

What is striking is that in the period of the “first wave” (March/April) a strongly increased occurrence was noticeable. This is true for all keywords, although the topic mask(s) was the most popular. Here, especially in the early phase, when the availability of masks was limited, fraudulent online stores were advertised.

Over the summer, similar to the infection numbers, the sighting figures stabilised at a low level. However, in contrast to the infection numbers, there was no renewed increase in the October weeks. It is important to stress here that not all sightings can be traced back to malicious domains, as many legitimate websites – such as information services – were also created during the period under review.

Heimdall identifies newly created domains

In addition to the number of sightings of certain domains, it is particularly interesting to see how many completely new domains Heimdall currently recognises. Since Heimdall evaluates the information of now 250,000 users, one can assume that a majority of the domains newly sighted by Heimdall have only just been created, so-called zero-hour domains.

As mentioned above, the Covid 19 pandemic also led to some new registrations of legitimate domains. The following figure shows three examples:

blank

With increasing awareness of the topic Corona by the public in March and April 2020, the number of sightings of “zusammengegencorona.de”, the offer of the Federal Ministry of Health in Germany, is also increasing. The subsequent flattening and constant, but low sighting rate corresponds to the typical pattern of a legitimate domain, as does the fact that “zusammengegencorona.de” is currently being increasingly sighted again in correlation with rising infection numbers in Germany (as of November 2020).

The same can be said for “coronawarn.app”, whose sightings suddenly increase in parallel with the publication of the corresponding app, then flatten out and settle at a low level. The current increase can probably also be explained by the renewed rise in the number of infections in Germany.

In summary, it can be said that (legitimate) information offers are emerging, whose links are regularly distributed over days and weeks after an initially strong increase. Most of these links also have reputable top-level domains (TLDs) such as .de, .ch or, with some exceptions, .com.

Unusual top-level domains as a characteristic of phishing mails

If we take a look at the domains classified by Heimdall as suspicious to malicious in the early stages of the pandemic, the picture is quite different:

blank

Most domains make use of rather unusual TLDs, whereby the TLD “.com” plays a special role in this picture: It does not allow a strong statement about the legitimacy of a domain, as it is not unusual for both serious and malicious websites.

In general, it can be seen that malicious domains are usually distributed in short waves. This makes it very difficult to protect against this type of phishing attack, for example. The strength of Heimdall is to quickly detect such attacks and to intervene immediately.

Cyber criminals bait Corona conspiracy theorists

We have already mentioned above that cyber criminals target their attacks on emotionalised people. The next figure shows the number of sightings of domains containing the term “mask” or “mask”.

blank

Especially the domains “maskhurt.cyou” and “mundnasemasken.net” are striking. The former is obviously intended to establish a connection to the assumed health hazards of a mouth and nose protection. The other sighted domains also take up the topic and are a way for attackers to exploit the fears of potential victims.

A look at the two previous charts also shows that the thematic focus and thus the “target group” of the attacks has changed in the course of the pandemic: While in the early phase of the pandemic, there was a tendency to try to make money through fake stores, the current situation is more conspiracy-theoretical domains in the context of “masks”.

Heimdall offers proactive protection against phishing and malware

The swarm intelligence, which as the basis of Heimdall evaluates the metadata of thousands of users, is constantly growing. Cyber attacks are thus being detected faster and more unerringly. An example of this is the following pattern, which contains the term “vaccination” in different variations as part of the domain.

nTotalnMalware
corona-impfstoff.shop4.00.0
corona-impfstoff.store4.00.0
corona-impfung.eu8.00.0
corona-impfung.shop5.00.0
corona-impfung.store5.00.0

In all the cases shown, a fast and proactive approach was able to protect against malware and fend off malicious emails.

Email attachments also spread malware

A second attack vector besides links contained in emails are attachments. Here, too, Heimdall collects corresponding metadata, such as the type of email attachments or the name of the corresponding attachment. Of course, the keyword “Corona” has also been a frequent occurrence here in recent weeks. The good news is that most of this communication is trustworthy. However, the security experts at NoSpamProxy have also recorded over a hundred cases in which attempts have been made to exploit the current situation to distribute malware. Here are a few examples:

  • Use of outdated archive formats. The archive formats can still be opened using 7zip, for example, but often slip through “usual” security checks. In this case, for example, several attachments named “solution_to_coronavirus.ace” were sighted containing malware.
  • Camouflage of executable file formats as PDF. This is achieved by using the .pdf extension within the file name. For example, Heimdall was able to view an attachment named “corona_treatment,pdf.iso” over fifty times, which uses exactly this trick.

Here is an example of an email whose attachment contains a _pdf as part of the file name, although it is actually a rar archive:

blank

Conclusion

The examples shown reveal the usual attempts by cyber criminals to exploit the uncertainty of potential victims and to base their actions on current social trends and issues. There are always quick clickers, but a pandemic and the fears and worries in the population associated with it cause many to act thoughtlessly and fall for fraudulent links.

The Heimdall service provides fast and proactive protection by detecting dangerous and fraudulent links and their underlying patterns and protecting you and your business from malware, ransomware and spam.

Use Heimdall now

The Heimdall action in NoSpamProxy collects and analyses metadata about emails and attachments. The goal: to build an even more powerful anti-malware intelligence that can detect and fend off attacks by spam and malware even faster and more purposefully. If you are interested in using the beta version of Heimdall, send an email with the subject “Heimdall activation” to NoSpamProxy support and attach a screenshot of your license details.