An End-to-End Analysis of Covid-Themed Scams in the Wild

Abstract

Covid19-themed attacks took the Internet by surprise in March 2020. Adversaries updated their attack strategies rapidly and started to exploit users’ attention to this unprecedented event and distribute their malicious payloads. In this work, we perform a retrospective analysis of adversarial operations over the first four months from February 15th, 2020 to June 16th, 2020. By combining a variety of measurement perspectives, we perform a three-step analysis, by (1) analyzing the composition, growth, and reachability of Covid19-themed attack pages, (2) identifying the modus operandi of attackers, and (3) assessing the actual impact on end-users. Our measurements serve as a lens into the fragile parts of the Web ecosystem during a previously unseen attack. We argue that precipitous growth of Covid19-themed attacks in just a few weeks represents adversaries’ technical and operational agility in adapting their attack strategies and also demonstrates how novice attack techniques can bypass common defense mechanisms and expose unsuspecting users to different forms of attacks. Drawing upon these analyses, we discuss what went poorly, in an effort to understand how the technical community can respond more effectively to such events in the future.