We Need a COVID Phishing Vaccine, Now.

Posted on by Dr. Salvatore Stolfo

Now that National Cybersecurity Awareness Month is upon us, it serves us all to recall history. Remember those Viagra spam emails? That era led to more sophisticated pharma spam scams, which led to, in some cases, the deaths of unsuspecting victims.


The world is waiting impatiently for a COVID vaccine or treatment that will return us to some new normalcy. The expectations for a pharma solution coupled with the upcoming flu and holiday season create a perfect storm for fraudsters and phishers to rev up into major action.


It is certain threat actors are also waiting impatiently to launch their campaigns to trick everyone into rushing for a COVID vaccine. We must all be suspicious of any email claiming to have the cure. Sadly, awareness and vigilance just won’t be enough.


A cursory search of domain registry data shows threat actors are already at work. One of the highly touted vaccine names apparently has been registered as a domain name, although the owner does not appear to be the pharma working on that vaccine. Is this domain squatting, or is it a pre-positioned phishing site? Time will tell the story of this rogue domain, but rest assured there are others just waiting to be launched.


How can I be so certain? Well, it is déjà vu all over again, in the famous words of Yogi Berra.


Vigilance and #BeCyberSmart is good, but it certainly is not enough. Businesses need to do their part. A number of security training companies sell products to train employee users to spot an “obvious” phishing email. Even so, past studies show training may reduce the risks but does not eliminate them. Additionally, there is scant technology provided to ordinary users—the rest of us—reading our home inbox.


Google aims to improve the situation by upgrading its Chrome 86 browser to display only domain names, drawing the user’s attention to decide whether the URL is a possible scam or phishing URL. This is a good attempt, but will it be enough? That depends whether the user actually reads the URL.


We ran a study in my lab at Columbia University to evaluate just how well user training actually works. Thousands of users were randomly selected to receive simulated phishing emails. Those who were tricked were sent to a landing page that explained how to spot phishing links. Sadly, the results show that repeat offenders are consistently tricked to click, even after four rounds of testing.


In scale, we should expect ordinary users to be easily tricked, even if they are trained to be aware of phishing emails. National Cybersecurity Awareness Month may help to raise awareness, but it just won’t stop the flood of successful phishing and scam campaigns.


I hope I am wrong.


When phishing sites are detected, the typical response is to file takedown requests with the appropriate hosting site. All too often takedown requests are ignored or are processed far later than is needed. Recent research shows it takes, on average, 12 hours for a phisher to succeed in netting victims. Takedown takes far longer.  


A safer bet is for businesses to deploy technologies that do the job for the user. Technical solutions are not only feasible; they are available. Early detection of phishing sites beyond domain monitoring, which is only 28% effective, and active defense such as decoy data stuffing can significantly reduce the threats. When scam and phishing websites are detected, instantaneous replies with bogus information can substantially thwart the campaigns while defenders impatiently wait for their takedown requests to be honored. The phishers and scammers now succeed with little cost. A major effort to actively defend against the impending onslaught of scams may have far more lasting effects to turn them away.


Indeed, pharmas and all other major brands should be planning now to upgrade the security of their web presence to reduce the risks to their customers and to ordinary users who—in the rush for a vaccine—will go to a bogus lookalike website.


Depending on user vigilance alone is perhaps misplaced hope. The major pharmas should be vigilant to protect us all from the phishers and scammers who will misuse their brands.

Dr. Salvatore Stolfo

CTO, Allure Security Technology, Inc.

Human Element

endpoint security phishing

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs