2020 roundup: How hackers exploited the COVID-19 pandemic

January

In January, long before the world grasped the enormity of the crisis, the first malicious coronavirus emails appeared in Japan and other east Asian countries. They claimed that COVID-19 had been discovered in certain Japanese prefectures and contained an attached Microsoft Word document with the Emotet trojan.

As the virus spread across the world, so did the scams.

February

Coronavirus-related domain name registrations surged. One of the first malicious domains to appear was vaccinecovid-19.com, which sold a fake coronavirus test for $300.

Already, the first months of 2020 had established two worrying facts:

1. Covid anxiety created millions of potential targets for email scams.
2. The desire to jump ahead in the testing line (and later on the vaccination waiting list) could lead people to part with large sums of money online.

It was great news for hackers, and terrible news for everyone else.

March

By the end of March, the number of coronavirus-related scams had increased by 400% compared, compared with previous months. Hackers were selling fake masks, tests, sanitizers, and even vaccines. They often impersonated reputable government agencies like the World Health Organization, using phishing tactics and social engineering.

Meanwhile, Zoom — a video conferencing app — grew in popularity as millions of people started to work from home. However, it was soon discovered that Zoom might not be the most secure option for online gatherings. There were numerous reports of random strangers invading Zoom meetings, sharing pornography, harassing users, and spreading malware.

April

Throughout April, Zoom’s user base continued to grow, but so did the company’s problems:

• Zoombombing! Bad actors forcing their way into other people’s Zoom calls were now so common that the activity earned its own name: “Zoombombing”. The app raced to implement more preventative measures.
• New vulnerabilities. Cybersecurity experts exposed app vulnerabilities that would allow wrongdoers to gain access to the victim’s computer and even spy through their microphones and cameras.
• A great bargain…on the Dark Web. April was also the month when over 500,000 hacked Zoom accounts were discovered for sale on the Dark Web.

Hackers who took advantage of the Covid situation were now a fact of daily life. The FBI reported that, since the beginning of the pandemic, it started receiving 3000—4000 cybersecurity-related complaints daily, a major spike from the 1000 daily complaints it was used to before the pandemic.

May

May was a particularly bad month for health-related cyberattacks:

• Phishing on the Isle of Wight. While the UK government was testing its Covid contact tracing app on the Isle of Wight, hackers seized the opportunity to launch a flurry of phishing attacks. Islanders received fake contact tracing messages containing a link to a malicious website where they were prompted to reveal personal information.
• Hospitals held hostage. Since the beginning of the pandemic cyberattacks on hospitals have been surging. Hackers targeted multiple health facilities in May, hoping to capture sensitive data in ransomware attacks. Two UK companies involved in building emergency hospitals for COVID-19 patients also suffered data breaches.

By May, many people had lost their jobs in the lockdown. Compounding the problem, criminals were now applying for social benefits with stolen names and social security numbers. The US was hit the hardest, with government organizations receiving thousands of false complaints and losing millions of dollars.

June

Throughout 2020, large organizations struggled to maintain their digital security — and June was no exception. One key challenge was the massive shift to home-working that had taken place over the first four months of the pandemic. Companies, universities, and government agencies now raced to bring their remote security practices up to scratch before hackers could exploit new weaknesses.

For the health sector, June was another challenging month. By now, the internet was awash with fake contact tracing apps, designed to steal users’ sensitive information.

When Canada announced a new contact tracing app, a copycat soon followed. The bogus app was advertised on fake websites designed to look exactly like the Canadian government’s. If you were unlucky enough to download the hacker’s app, your device could then be locked and held for ransom.

The University of California, San Francisco, which had been involved in urgent COVID-19 research, admitted to paying hackers $1.14 million in ransom money.

July

A survey conducted by VMware has revealed that 89% of Americans have been targeted by COVID-19-related malware. However, government entities around the world were also popular targets for hackers and malware distributors.

The UK National Cyber Security Centre (NCSC) published a report stating that hackers working for Russian intelligence services targeted various organizations involved in COVID-19 vaccine development in the UK, US, and Canada.

August

You might think that internet users would have gotten better at identifying scams as the year went on. Well, according to several reports, that wasn’t the case. Two damning statistics stood out:

• A staggering 1 in 6 Australians were victims of online fraud during the lockdown. Since the people of Australia aren’t uniquely vulnerable to cyberattacks, that’s bad news for anyone with an internet connection.
• America’s coronavirus-related fraud losses exceeded $100 million — a number that is only going to rise going forward.

In August, the Federal Trade Commission urged people to be cautious, avoid unusual online transactions, and be wary of phishing scams. Social engineering attacks were on the rise, endangering both companies and private individuals.

September

In September, Spain’s National Intelligence Center alleged that Chinese hackers had stolen information related to the country’s coronavirus vaccine. While China denied these claims, cybersecurity experts warned that attacks on research institutions were happening regularly all around the world. China, Russia and Iran were believed to be the culprits, and may still be engaging in such activities today.

October

The FBI issued a warning about scams revolving around charities. Since many people were willing to donate money to fight the pandemic, scammers set up fake websites and sent emails asking for funds. Not only did this result in people losing money, but it diverted donations away from groups that actually needed them.

UK police forces and other organizations ran an October campaign to raise the awareness around romance frauds. These insidious scams usually involve four steps:

1. The attacker makes contact with a stranger through social media, or on a dating website.
2. Trust is established: the attacker builds a romantic connection with the victim.
3. Finally, the attacker claims to face a crisis (perhaps they’re stuck overseas because of a lockdown, unable to pay for a hotel or a new flight) and begs the victim for financial help.
4. Once the money is in the attacker’s bank account, they cut ties and vanish.

Predictably, many of these scammers started to use Covid-related travel restrictions and lockdowns as ploys to ask for assistance.

November

In the last months of 2020, cybercrime related to COVID-19 vaccines intensified. Hackers approached AstraZeneca employees on LinkedIn and WhatsApp, pretending to be recruiters and offering them job opportunities. However, their messages included malware, which would allow hackers to gain access to AstraZeneca computer systems.

Various criminal groups were also promoting fake coronavirus clinical trials that allegedly paid $1,000 for participation. When victims clicked the link, they downloaded malware, allowing hackers to steal usernames and passwords. This was just one more example of the malware plague that seemed to accompany the real-world pandemic.

In November, the UK’s National Cyber Security Centre reported that 1 in 4 cybersecurity incidents in 2020 were related to COVID-19. Employees working from home and academic institutions were among the most targeted groups.

December

December was yet another tough month for vaccine developers:

• Vaccine hacks (again): The European Medicines Agency (EMA) was hacked and documents about Pfizer’s and BioNTech’s coronavirus vaccines were accessed.
• Festive phishing: Throughout December, individuals across the world began receiving bogus messages encouraging them to register for the Covid jab or pay for a spot on a vaccination waiting list.
• Fake pharmacies: Hackers set up multiple bogus vaccine websites and online pharmacies, adding credibility to their phishing emails and making it ever harder to tell fact from fiction.

New Year, new scam

2020 may be over, but as the world waits for the vaccines to take effect, new threats are emerging. The more people fixate on when and how they can get the vaccine, the more likely they are to walk into a hacker’s trap. And according to research by NordVPN, the number of potential cybercrime victims is rising.

A NordVPN report found that, since the beginning of the vaccination roll-out, search queries related to COVID-19 vaccine sellers have spiked. Many individuals are attempting to get early access to jab — and are willing to pay for it. In the UK alone, our data reveals that:

• Online usage of the phrase “buy covid vaccine” rose by 136% from December to January.
• Searches for “covid vaccine online” also rose by 97% throughout January.
• Some areas are more at-risk than others, with Wales producing approximately twice as many “covid vaccine online” searches as the rest of the UK.

Some of the people searching for these terms will almost certainly end up on fake websites and fall victim to hackers. As our report suggests, the dangers of vaccine scams have never been higher.

Changing our digital habits

The pandemic has changed the way we work and how we organize our daily routines. As employees moved from offices to their homes, they developed new digital habits. Research by the Nord Security team has shown that we’re spending more time online than ever, but we are also more aware of cybersecurity risks:

• We work 2.5 hours longer every day than before the COVID-19 pandemic.
• 62% of employees used personal computers for remote work in 2020.
• Americans spent a staggering 95% of their waking hours on devices during the pandemic. For Germans, that number was 81%, suggesting that the spike in device usage was present on both sides of the Atlantic.
• The average internet user now has 100 passwords, a rise of 25% from pre-pandemic numbers.
• People turned to online security and encrypted 19.5 times more data.

Scientists say that it takes more than 2 months to form a new habit. Since we’ve been living in the new pandemic reality for a year now, these habits will definitely stay with us for a while.

Lessons we learned in 2020

Criminals have always exploited disaster and social unrest, but the pandemic created an unusually prolonged period of instability. If 2020 has taught us anything, it’s that cybercriminals will never miss an opportunity to hijack a crisis.

2021 will definitely be another disastrous year for online privacy and security. Corporations, government bodies, and individual citizens are all at risk.

Luckily, more and more people now understand the power of antivirus software, firewalls, VPNs, strong passwords, two-factor authentication, and common sense. Cyber threats aren’t going anywhere; we need to learn how to live in this hostile environment and secure our digital lives.