By Dylan Duncan

2020 was far from ordinary 

And at the end, we learned one thing for sure: threat actors’ abilities to quickly adjust their methods to world events are pretty uncannyLike the rest of us, they must be news junkies, too.  

Every year, we see threat actors improve their methods and adapt to world events, bringing new trends to the phishing threat landscape. Last year, the COVID-19 pandemic in particular brought an unprecedented amount of disruption and financial hardship, directly leading to an increase in both volume and variety of threat activity. Threat actors continued to advance their tactics, techniques and procedures to ensure their emails would reach end users throughout the year 

Here are a few things we learned from the longest March to December in history:
 

  • COVID-19 was certainly the source of the most disruption in 2020. During the peak of pandemic-themed campaigns, phishing emails predominantly delivered credential phishing and Agent Tesla keylogger, but threat actors also delivered ransomware, keyloggers, remote access trojans and information stealers. 
  • Remote work became the new standard for an unprecedented number of employees as the pandemic led to lockdown protocols and workplace restrictions. The technologies associated with remote work led to new opportunities for threat actors, such as spoofing video chat applications and collaboration platforms.  
  • The Agent Tesla keylogger has been a prolific malware family since its release in 2014. This year it was the highest-volume keylogger and one of the top malware families overall observed by Cofense Intelligence. Agent Tesla has a competitive price tag compared to other malware and provides threat actors with complex features while maintaining an easy-to-use user experience.  
  • Since 2014, the Emotet botnet has been one of the top contributors to the phishing threat landscape. The more notable changes that surfaced this year allow for it to steal email attachments from victims’ inboxes, which are then used in phishing campaigns against targets who would find the attachments familiar. 
  • Ransomware was very active throughout the year, with a high number of new families and developments compared to other malware types. During October, United States authorities warned about campaigns targeting the health care industry. The campaigns delivered BazarBackdoor, which threat actors could use later to deploy Ryuk ransomware to intended targets.  

Phishing emails weaponizing the COVID-19 pandemic, remote work environment and presidential election were more effective than generic phishing templates. As the pandemic continues into the coming year, we expect that some related themes will continue, and we stand at the ready (as does our network of 25 million around the world identifying and reporting phishfor newly emerging themes and trends. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.   
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.