Sophos sees spike in COVID-19, coronavirus email, phishing scams

SophosLabs saw a significant spike in the use of “COVID-19” and “coronavirus” in domain names, spam, phishing attacks, and malware with criminals exploiting the pandemic that is gripping the world.

In the blog titled “Facing down the myriad threats tied to COVID-19,” security researchers saw how cybercriminals are impersonating the most crucial organizations in these uncertain times including World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), North America, and the United Nations (UN).

Sophos saw that “over 65% of new domains were programmatically registered for free through Let’s Encrypt, and another 5% used Cloudflare as a Certificate Authority.” Before the pandemic, “corona” registrations usually referred to locality, service or legitimate brand name.

Have you read “Mapua partners with Sophos in offering cybersecurity courses“?

“Cybercriminals are wasting no time in shifting their dirty, tried, and true attack campaigns toward advantageous lures that prey on mounting virus fears. It’s easy to see, for example, that the attackers behind a new Chloroquine scam (attached) are the same as those behind a recent herbal Viagra scam,” said Chester Wisniewski, principal research scientist, Sophos.


Sophos has been tracking activities like this since the news of the coronavirus came out. By January 2020, spam and phishing emails with references to the virus began surfacing. People are hungry for any new information and security researchers found that criminals take advantage of this by sending spam emails attaching an installer for Trickbot malware.

“By early March, COVID-19 and Coronavirus already represented a significant percentage of the spam traffic we measured,” Sophos said in the blog post.

Among the spam and phishing emails Sophos tracked include a sextortion scheme threatening to infect the target’s family with COVID-19 if they didn’t pay and a scam purporting to be a fundraising plea from the World Health Organization, asking for donations in Bitcoin to fund COVID-19 research.

“With global spam volumes estimated to be in the hundreds of billions, for 2-3% of those to be COVID-19 themed is significant. Similar to A/B testing of advertisements and web pages, criminals often dip a toe in the water when there is a new or sensational topic in the news. If the new topic proves a more effective lure than the previous scam bait they begin switching to new lures.


Sophos found one of the spam campaigns they tracked “use fake shipping and delivery emails to convince unsuspecting victims into opening attachments and infecting their computers with the Kryptik Trojan. The main body of the email pretends to come from with ‘health advice’ in the attachment, but when we carefully inspect the plain text body, we see it matches a previous spam campaign from this same criminal using a lure pretending to be about invoices and deliveries.”

The cybersecurity company also identified multiple malware families and ransomware with potentially unwanted applications.

Since most communications are now coursed through emails and messaging apps, the public is advised to carefully scrutinize the email addresses, the attachments, and the links included in the emails or messages. When in doubt, discard the email or message.

Categories: Uncategorized

Tagged as: , , , ,