IETF Logo Mail Archive

[Covidimpacts-workshop] Some COVID-19 security stats

Kirsty P <Kirsty.p@ncsc.gov.uk> Thu, 12 November 2020 11:31 UTC

Return-Path: <Kirsty.p@ncsc.gov.uk>
X-Original-To: covidimpacts-workshop@ietfa.amsl.com
Delivered-To: covidimpacts-workshop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED4AA3A005E for <covidimpacts-workshop@ietfa.amsl.com>; Thu, 12 Nov 2020 03:31:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Be5UHo40p8zA for <covidimpacts-workshop@ietfa.amsl.com>; Thu, 12 Nov 2020 03:31:46 -0800 (PST)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-eopbgr110117.outbound.protection.outlook.com [40.107.11.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6296F3A003E for <covidimpacts-workshop@iab.org>; Thu, 12 Nov 2020 03:31:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GwP5lo3/EmDWeGKEoYW7Z7tNPhi37z1OdnN6Q45mybDw74piR1aOKyU1sSleYR6BPTN+AqUE6x0y2j7qP3zCUHrxvkXlRO9RN7VCaJTUay122BYtOVt+rW9jHFDhl5ZGImAHw0/0BSeUCWxsqgjrix3dOPAAHoJS+HkpM5MCXavE4EFk7g7LqSF0FvBdEVeNtsTj/OYpP1slSW9juYlUkfxF9Znjydx7pdvuxXmg4oWsfRTuKPwgDt0vvDtHLbXl7Sc+uP+JYtv7Ti+YON15H0OcNWBiT5KQKdLIoLu+5AWDFOqixJBYDWY1ILZ51YDDjY0E4yKCS5JmIX5VOrRhgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EBLB7ksj2fO5zdeNqGbTqIIU6+GiOkmfVylymH2APNc=; b=iDd1eZnf62v4V4WMfpfFYlrcKCgeb0W00e3itOHP0sywUEBOlHX3zGnxfLxaDSFSzNWO3yKwBn4bq9lSRlbTATLMx4PUvvtQyZFR9JVon8uOTwOz5OAb4TO1FxpFT/F78ZQYv2Sv8L0E+Sv6P0l7t4QM78yk85crGdfm/hTbG7+t2RnkQ4gc5jRw+gTAVXbjuqwEwqLdoBJNo1sq8FG8KmP50H5IPFwCJRWhDlk1ghahbZ6fE1a+J7DYTLC3vfxXUqMiKYS3Sil1tdRkU+YWCSioFdKISY0wHHXDwbsTz2PHMOU24JFf1RtjzgSEPK9QvLsIDcIoCyjwlgyaKJDpYQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EBLB7ksj2fO5zdeNqGbTqIIU6+GiOkmfVylymH2APNc=; b=Uo7B8d/wRRWR9EIPOTKjg4iLzaNTdoLRVCHp4dW5polspwTnH6t2dpQlKagFtb+T0Jg2zUNcWDaxAm4pmKbbALr47e37Ka+BBrCF7oXykcv+YMA+B6imK8KWun6KPLmbX1F8EUYPxX/Arvb8N84lZHdOT3iIpA+rf+IzPktt6cyBZHInLn0cSEpiKXFfew/lbjyNV+WDP6aZysF5i27kOJhpk62WSDue7kG4oLm+L02bnA7HIoEobMKl3FG9pv5TDPAFx5yCPWt1NTIM5foyTtsUPMNmVnkKuDg3Xiffx8R5Q/TfiHjKQ0gSJRQTsYSG8OGEFLuuoihThvcoeaAB/A==
Received: from LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:12c::10) by LOYP123MB3022.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:f3::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21; Thu, 12 Nov 2020 11:31:44 +0000
Received: from LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM ([fe80::9945:276b:5b02:8ab1]) by LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM ([fe80::9945:276b:5b02:8ab1%6]) with mapi id 15.20.3541.026; Thu, 12 Nov 2020 11:31:43 +0000
From: Kirsty P <Kirsty.p@ncsc.gov.uk>
To: "covidimpacts-workshop@iab.org" <covidimpacts-workshop@iab.org>
Thread-Topic: Some COVID-19 security stats
Thread-Index: AQHWuOdi+2JhZRfNfEStV/ibrlBTFw==
Date: Thu, 12 Nov 2020 11:31:43 +0000
Message-ID: <LO2P123MB359936C82106E59B4E6FDD07D7E70@LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: iab.org; dkim=none (message not signed) header.d=none;iab.org; dmarc=none action=none header.from=ncsc.gov.uk;
x-originating-ip: [51.132.68.128]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 77052638-195f-4905-5a89-08d886fe8851
x-ms-traffictypediagnostic: LOYP123MB3022:
x-microsoft-antispam-prvs: <LOYP123MB3022ACBE0686FE750F023B08D7E70@LOYP123MB3022.GBRP123.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: o+KBw09vZb8to0P4TcZbzSu9UkxGX3s9WL360n49KOuWMMY3p2huDrsOt56PiwhKS1Hs8JYcNzHyPeLDZAm0wHATGNXTj9itX7SNsIGvPX1PJfDSkC+GWN2nWU9dXZRegdtHgvQv1sJLhIAyrtVRZXtvagMTIKeGSo8OFwgn0ryua4pmR4Jg2bLbHO9wnAuPobt4ZdTOwbqRD5A2D4+odQZJtYyPMU5Oz1ouL6CUTtHsta8jPuSX8/mP051nTZ2owcuI0EvDrR0qVb1ueE1RW+wQET94FmMbdi7NSHusdkMlTfvsLf4q58/wBOMPwGcq+L01IBtMFRw0d21E+SgvvRgoNHCYyC17PDW/Qr6HKsIcNSKJ4xyEHZCuOKIv7VLGsghX0iNr9T6ftQayJd5bLQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(366004)(39850400004)(396003)(346002)(33656002)(86362001)(55016002)(66476007)(19627405001)(76116006)(15650500001)(71200400001)(6506007)(8936002)(6916009)(7696005)(478600001)(66574015)(83380400001)(66946007)(316002)(8676002)(52536014)(186003)(9686003)(2906002)(66446008)(64756008)(5660300002)(66556008)(26005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: hyGyQK4IeHRY6iYG7oF/fWywCHDCsEx/KlfSYyWdKOdmxJpvzW75Jlbi3IfhBImJeP33KpDHl9inHc9DQO8Kd+NZ+uAvCf2TLpwctZ8KWshww/hFn68Xe97ZJCyyahv4h78h3dM684GOZhARM5D/5knAjE5lumkegRGR4/5yNDh9akSVsVXUOKSc42A+qpUqrxxQJMQw5n1khZxZXXC+mzC+nqCzW0PxGAb/6M4FxuookiHKlFKf83BFEi7tRyFdV8Et3DDI0xAxEtytNJQDLVnzNaMeojMyiVrDmBnxjLu36LfsB0UxIMB7bRjm+nuUTmBIJDUWXoeuG0BBXOCOTsrZwlVpLFSfBPimXr6XnnsruqwxGpJ224MwctEQIXfRVD9fC6b/klT6xTZ5GbZHKHtiia3crOH6kVw+WvRC/NpyiPhT1eFW59BgKNXXBSgVo1XlJrUzvUM5ZHxBB8d8N8EnON1NFIAWHlK7JNxHnD22nVHR7pRVuL8DR2UKgu4a6YmOYeFkYvdlgaNyXOrkLZOatuzQGEujRjf/hf2HXyPa/3ArkYFMv87NikHf1a1KB44qU7o6uxMtgxKwJegiYyl44cwZOeSxNEDEKM6pmZm7uRXDN+hugL2w81vl/DUEs+mfT0GIe/N02TRIKo/n6quXxywMm5tEEyGheBZh8GUeUaZWyW+s64vNPRZcTuCHGWIfEWQp0Qoz7NbT974DnAJbSfx5Go2zRo93ngL2Sl7KBq4ig2C1ZtN3A9KeSo9IT0P7b2f0j1rlD0qw1B4JsA4vMy4Oshg6VWtbF8scI9C8YA1aYKR4Y0cxTofxb0SxhAzhtXN8OZn4QxYcXPSHRCODmtMJ/+QB5GV72x0u7shrBaasOUKrtbyIpwdQuuHJ6psLlRxtvvRT/vA8lcTtew==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_LO2P123MB359936C82106E59B4E6FDD07D7E70LO2P123MB3599GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 77052638-195f-4905-5a89-08d886fe8851
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2020 11:31:43.8837 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3/E0hoTk/lzzHEnG9ZrR75wBN5y/2zo32jBaGvCK/c5puQUdnibNPTX/EvtnfWncJkybBNg/hbK4aud6N9rNWw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LOYP123MB3022
Archived-At: <https://mailarchive.ietf.org/arch/msg/covidimpacts-workshop/ERVMAMFCOUf2eIyUHew_b3cijJM>
Subject: [Covidimpacts-workshop] Some COVID-19 security stats
X-BeenThere: covidimpacts-workshop@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: COVID-19 Network Impacts Workshop <covidimpacts-workshop.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/covidimpacts-workshop>, <mailto:covidimpacts-workshop-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/covidimpacts-workshop/>
List-Post: <mailto:covidimpacts-workshop@iab.org>
List-Help: <mailto:covidimpacts-workshop-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/covidimpacts-workshop>, <mailto:covidimpacts-workshop-request@iab.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2020 11:31:49 -0000

Stephen asked yesterday if malicious campaigns, scams/fraud overall increased, or if the numbers were the same but it was just a change in lure.

I think focusing on numbers alone won't describe the full shift in patterns that we saw, but I'll share some stats from our annual review now it's been published (https://www.ncsc.gov.uk/annual-review/2020/docs/ncsc_2020-annual-review_s.pdf - page 98) below.

It gives an indication of how much effort went to COVID campaigns, the shift in behaviours, and the relative takedown responses:
 - 166,710 phishing URLs discovered across all campaigns were successfully taken down. 42,576 URLs were associated with UK Government-themed phishing attacks. The UK-hosted global share of visible phishing attacks further reduced to 1.27 % (from 2.1% last year).
 - Since March, the NCSC has taken down 15,354 campaigns which used coronavirus themes in the "lure". These were hosted globally.
  -- 8,800 were Advance Fee Fraud (419 scams)
  -- 1,156 were associated with fake shops selling bogus PPE, coronavirus products, test kits (and even vaccines)
  -- 251 phishing campaigns
  -- 2,984 mail servers distributing malware

Kirsty
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright ©

v2.23.0 | Report a Bug | By Email