The other dark side of a virus

Header afbeelding

These days the novel Corona virus or COVID-19 has an immense  impact on our lives. In this blog we go back and follow the evolution from the beginning till today, linking the spread of the virus to the global increase of cyber threats.  

The beginning

Tuesday December 31st 2019, the World Health Organization China Country office was informed of several cases of pneumonia of unknown cause. The detections came out of Wuhan City, Hubei province of China.

Between that day and January 3rd, a total of 44 cases were reported by China to the WHO.

On January 20th a first report was released, showing 282 confirmed cases of 2019-nCoV or COVID-19, the name that was going to be associated with the new Coronavirus.

The affected countries were China (278 cases), Thailand (2 cases), Japan (1 case) and the Republic of

Korea (1 case). All the new cases outside of China had a Wuhan City origin.

From all the patients, 51 were severely ill*, 12 were in a critical condition and 6 died.

This all happened a bit more than 2 months ago…


When we look at the numbers of March 24th 2020; it becomes clear that what started small, is taking over our daily lives on a global level. Almost every country, region or sovereignty is taking more drastic measures to protect their population from this dangerous threat.

The numbers do not lie. 169 countries/regions have a total of 409 014 confirmed cases,
18 557 deaths and 107 806 recoveries.

Today, this pandemenic impacts every aspect of our daily life. Luckily in times of need, we find inventive ways to help each other out.

Unfortunately not everyone feels like this and some will try to abuse this situation to gain an advantage over others or simply cash in.

Never were people more online, for news gathering or because companies shift as much as possible to remote work. This offers malicious hackers various opportunities for exploitation.


Coronavirus COVID19 Global Cases by Johns Hopkins CSSE

Corona has an impact in many ways, also on ICT and cyber security.
We looked at all the newly registered or seen domains inspired by the new Coronavirus or COVID-19 that scored 70 or higher on a scale from 0 to 100, based on their risk of being suspicious or malicious.

The month of January shows that the amount of registrations ramped up towards the end of the month. January 20th is when the first uptick in cases was mentioned in the first WHO report related to the virus. You can see that from there on, interest in trying to misuse the situation is starting to show.

January’s average was less than 100+ registrations a day, but February was about to change that.

The spike in the first half of the month is again in line with a real world event. In China, a change in classification of the confirmed cases happened and the new classification added all previous clinical observations on top of the laboratory tests. This resulted in a very big one day increase triggering worldwide media attention. Towards the end of the month, new cases of the COVID-19 epidemic in the EU are going up and of course, new domain registrations follow that pattern.

On March 11th the new registrations jump even higher. The reason? The World Health Organization declared the novel Coronavirus a pandemic. March is still ongoing, but the daily registrations of domains keep increasing. In the meantime Europe is ramping up new cases with Italy, Spain and Germany being the unfortunate leaders of the pack. Belgium is also in the graph for reference.


Another kind of threat

In times like this, we want to get as much information as possible and malicious actors know this too.

COVID-19 related phishing campaigns are trying to let you click on whatever attachment or link while disguising the e-mail in a form that makes you believe it’s coming from a trusted or believable source.

E-mail is not the only way malicious people  deceive their target. All social media can and will be used to accomplish their deception.

In the past, the language barrier used to be a visible red flag. Today, this is rarely the case. Schemes become more effective through the use of bought multi-language support. Native speakers and/or writers will try to make sure that the days of bad grammar and spelling are mostly gone. Making it harder and sometimes almost impossible to recognize phishing. Be aware of this and always check the sender of the e-mail, whether you know this person and if their e-mail address is spelled correctly. Be careful with attachments as well as links. They could be malicious and therefore conceal their true nature.

To prevent, slow down or contain the further spread of COVID-19, countries and regions are setting up new quarantine and lockdown measures, literally putting a lot more potential targets behind a screen at home.

At some point, questions about their job, career, getting payed or fired might come up. These people, trying to deal with the challenges they face, are eagerly (mis)used.

As the days and weeks go by, people will possibly start to worry about their nest egg. Are banks going to survive all this? Will my insurance cover any damages or loss? And what about my loan on the house? Again, people with bad intentions will take advantage of their uncertainty.

As said before, the 11th of March is when the WHO declared COVID-19 a pandemic. As a result, people will be more tempted to look for a map or dashboard with information about their country or region to follow the spread. Domains registered to trick people in using non-official look-a-likes based on the ones from the World Health Organization or the Johns Hopkins University can be found in the graph below.

In a race against the clock, a big amount of stress is on the medical staff and supporting services, as well as police, government and so on. This means that social engineering attacks, with the help of a landline or mobile device, are increasing too and the chances of success are high.

As the information about the pandemic starts to spread, a worldwide shortage of protective masks is pushing some of us to look for them at whatever cost; again creating opportunity for bad actors to register malicious domains and make money off other people’s insecurity

The business as usual is also at risk as they are often unprepared for this kind of situation. This can go from VPN access being non-existent, patches or upgrades postponed, monitoring of critical assets that is non-essential anymore because priorities shifted and so on.

If you have a malicious intent then you can use the numbers of daily new cases and combine them with a bit of localized news gathering. This way people with malicious intents can predict which new countries or regions will be the best ‘next target’ for maximizing their profit.

So please, raise the overall awareness of everyone around you and be prepared for some potentially unwanted attention, engineered to take advantage of this situation.

Remember, it’s not only this novel Coronavirus that we should shun, but also digital viruses and bad actors who - without precautions - might become uninvited guests in many households or organizations.

If you have any questions about DNS security or if we can help you improve it, feel free to contact us at [email protected]


* The WHO classifies severe illness according to any of the following criteria: dyspnea; respiratory rate more than 30 bpm; hypoxemia; chest X-ray with multi-lobar infiltrates or pulmonary infiltration progressed more than 50% within 24 - 48 hours.

The WHO classifies a critical condition according to any of the following criteria: respiratory failure; septic shock; other organ failure which requires Intensive Care Unit (ICU) admission.

Time to talk?


Do you want to know how your security and network are doing?

With an in-depth audit we map out your security challenges and your entire network.