This article is more than 1 year old

Scammers tried slurping folks' login details through 70,000 coronavirus-themed phishing URLs during 2020

Palo Alto Networks lays bare a year of dastardly digital doings

Cybercriminals ruthlessly exploited the coronavirus pandemic to set up phishing websites that posed as Pfizer, BioNTech and other household-name suppliers of vaccines and PPE, according to Palo Alto Networks.

In a post published today, Palo Alto's Unit 42 threat intel division said COVID-themed phishing lure URLs "largely centered around Personal Protective Equipment (PPE) and testing kits in March 2020, government stimulus programs from April through the summer 2020 (including a fake US Trading Commission website that posed as the US Federal Trade Commission in order to steal user credentials) and vaccines from late fall 2020 onward."

It added that it had seen 69,950 phishing URLs between January 2020 and January 2021 which focused on "COVID-related topics". Government support schemes were a big theme in Q1 2020, peaking in May and tailing off as hospital-themed bait grew in popularity.

Unit 42's researchers found the latter included "a fake Pfizer and BioNTech website also stealing user credentials." This broadly matched findings from a year ago published by British police's National Fraud Intelligence Bureau.

teddy with police hat and mask

Online face mask sales scams, 400% uptick of coronavirus phishing reports: Brit cops' workload shifts online along with the nation's


Unit 42 reckoned Microsoft was the most impersonated brand targeted by phishing criminals, with Redmond-themed pages being set up to steal credentials from employees of US grocery firm Walgreens, Canadian drug manufacturer Pharmascience, India's Glenmark Pharmaceuticals and more – including a Chinese pharma firm.

Microsoft didn't take that lying down; in July it filed a US lawsuit aimed at letting it seize control of phishing domains.

Most of these lures, said the firm, were attempting to steal users' "business credentials", saying: "These business-related phishing attempts have become an increasingly important attack vector for cybercriminals."

A phishing site set-up later in 2020 posed as a corporate presence for BioNTech and Pfizer, the vaccine makers, asking users to log in with Office 365 credentials in order to register for vaccination.

Image by Reddavebatcave

European Commission redacts AstraZeneca vaccine contract – but forgets to wipe the bookmarks tab


"We predict that as the vaccine rollout continues, phishing attacks related to vaccine distribution – including attacks targeting the healthcare and life sciences industries – will continue to rise worldwide," said Unit 42's blog post.

The company also said it had seen a 189 per cent increase in cyberattacks against pharmacies and hospitals, with many of those being part of larger phishing campaigns. These were scattergun attempts to harvest login creds, said Unit 42, asserting they were mostly done "in the hopes that at least one of the employees will mistakenly input his or her credentials into the fake login page."

Last year email security firm Mimecast warned of a COVID-themed flight refund scam doing the rounds, while GitLab redteamed the problem, testing its own workforce's susceptibility to phishing. The latter was concerning; around a fifth of the tech firm's own staff fell for it. ®

More about


Send us news

Other stories you might like