Cybercriminals are opportunistic and nimble. They can re-skin existing cyberthreats extremely quickly. They’ll pick whatever is in the news and camouflage their scams under that hot topic. How are cybercriminals exploiting COVID-19? With the same old scams in a new set of clothes.
How Cybercriminals Are Exploiting COVID-19
Cybercriminals love major news stories. Any subject that is going to be at the top of the search rankings, or that people may expect to receive emails about, is a perfect cover story for their cyber attacks. They quickly change the livery of their existing threats and send them out once again.
They’ve even been known to piggy-back on other cyber incidents. When Facebook suffered an enormous data breach, cybercriminals conducted an email phishing campaign telling people they had been affected by the data breach. The recipients were instructed to follow the link in the email, log in, and obtain further guidance. Of course, the link took them to a fraudulent website that stole their authentication credentials and infected them with malware.
It should come as no surprise then, that cybercriminals worldwide are exploiting the COVID-19 pandemic via emails, mobile apps, and fraudulent websites. Here are the types of threats you need to be aware of.
Phishing Campaigns
Phishing campaigns are very easy to revamp and reuse. A new set of images and branding, some rewording, and it’s ready to go. For those who don’t want to do it themselves, COVID-19 themed phishing kits are available on the Dark Web for as little as US $200. A typical COVID-19 phishing email carries a malicious attachment claiming to be a geographical heat-map of infections.
Other emails have attachments purportedly containing official advice regarding the pandemic and the lockdown, or advice regarding financial support for furloughed staff. Yet more emails have offered face masks, hand sanitizer, COVID-19 test kits, and even vaccines for sale. They may appear to be sent by local, regional, or national government bodies, or from organizations like the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC).
Apart from the window-dressing changes, these are standard phishing campaigns, the victims will face threats such as ransomware attacks, theft of credentials and credit card details, or infection from key-loggers.
COVID-19 phishing campaigns sending 200,000 emails at a time have been detected by security software houses, with the frequency of attack increasing from one a day to three or four a day, and rising. The most common types of infected attachments are fake compressed files with extensions like RAR and ZIP, but fake document files such as PDF and DOCX have been detected too.
COVID-19 related phishing campaigns will continue after the pandemic ends. Because of the number and scale of the events that have been canceled—including the Tokyo 2020 Olympics—it is a certainty future phishing campaigns offering ticket refunds or rebooking advice will surface.
Malicious Apps
Apple has placed restrictions on apps that allegedly offer information or assistance with COVID-19, and Google has purged some COVID-19 apps from its Play store. However, malicious apps are available from other websites and unofficial app markets.
One of the most prevalent apps promises to provide infection tracking for your locality, with heat-maps and other dashboard statistics. In actual fact, it is ransomware targeting Android phones. It demands $100 in Bitcoin and threatens to wipe your phone if the ransom is not paid within 48 hours.
It has been reported that the domains associated with this ransomware app were previously used to distribute a porn-related malware app for Android phones, indicating that it is the same organization behind this attack, using the same ransomware app, with a COVID-19 facelift.
Other ruses try to convince people to download and run an application on their laptops or desktop computers, which will aid in the analysis of the virus and the development of a vaccine. There is a bone fide precedent here, with applications like Berkeley University’s SETI@Home project designed to run on as many computers as possible, all working collaboratively. Unfortunately, the COVID-19 application installs information-stealing malware.
Bad Domains and Fake Websites
Numerous websites are springing up to help deal with the pandemic and provide information to the populace. Inevitably, many are fakes. Researchers have found over 86,000 risky or malicious domains related to COVID-19 were registered in March and April 2020 alone.
The United Kingdom’s National Cybersecurity Centre (NCSC) has highlighted fake sites with domain names very similar to genuine domain names masquerading as the US’ Centers for Disease Control (CDC). The sites ask for cryptocurrency donations to help fund research for a fictitious vaccine.
Websites offering insider information on COVID-19 infections are spreading the AZORult malware. This malware will steal authentication credentials, credit card details, and Monero and uCoin cryptocurrency wallets. It may also install other malware packages onto the compromised computer.
Home Working
The lockdown saw a massive swing to homeworking. For staff without a company laptop this probably means they have to use the family’s home computer. This is almost certainly going to be less secure than your office computers. It might not be patched up to date. Because they are unregulated machines they can have any software at all installed on them. They may or may not have anti-virus and anti-malware end-point protection installed.
Many businesses do not have the infrastructure in place for wholesale remote working. As a result, a lot of company material has been transported to the homes of the workforce, has been copied to their home computers, and is being worked on locally. As well as being less secure, it will not be centrally managed, and will not be backed up in the same way as if it were stored on a company server.
Another side-effect of the lockdown was the rapid surge in video-conferencing. Businesses needed solutions and they needed them fast. Due diligence was side-stepped in many cases, and an “as long as we can get people working” attitude took over. Cybercriminals take delight in situations where critical technical decisions are made in a rush. They can exploit the chaos of hastily made policies.
Zoom’s meteoric rise in popularity ultimately drove the company to freeze product development and to focus on security issues. Interest in zero-day exploits relating to Zoom and other collaboration apps is described as “sky high” with attackers.
Staff who had no prior experience found themselves dropped in at the deep-end with video-conferencing. Typically, the hosts of video-conferences know the bare minimum required to get through the call.
Over 500,000 Zoom account credentials have been sold on the Dark Web, often for a penny each. The account details can be used in credential stuffing attacks with the possibility of attackers joining calls. Without appropriate consideration and control applied to who can access and enter video-conferences, people can gate-crash meetings, known as “Zoom-bombing“. The larger the video-conference call, the easier it is to connect and lurk unnoticed.
One British newspaper leaked a story about pay cuts at a competitor after they were accidentally given access to a video-conference call.
Targeting Critical Functions
The more vital an organization is in a time of crisis, the less you can afford to have it offline. So there is more likelihood of a ransom being paid if that is the fastest way to restore the critical services. The staff in these facilities are likely to be working under uncommon pressures and stresses. This makes them susceptible to mistakes and cutting corners leading to weakened defenses.
Cybercriminals are well aware of this, as demonstrated by attacks against the Illinois Public Health website (ransomware), and the Department of Health and Human Services (distributed denial of service attacks). Other healthcare and research facilities have been targeted.
Some of the attacks are not financially-motivated. Ominously, certain attacks have been attributed to state-sponsored hacking groups known as Advanced Persistent Threats (APTs). In particular, recognized APTs operating out of China and Russia have been named as the threat actors behind some of these attacks.
The UK’s National Cybersecurity Centre (NCSC) and the United States’ Cybersecurity and Infrastructure Security Agency (CISA) have released guidance regarding APT attacks on healthcare bodies, pharmaceutical companies, local government, and research facilities in universities and medical establishments.
Protect Yourself During the Pandemic
Standard best-practices will keep you, your staff, and your corporate network safe.
- Advise home workers to update their operating systems, software applications, and anti-virus software. Make sure all security patches are applied.
- Ensure homeworkers use a robust password when they connect to the corporate network. Three unrelated words joined by punctuation forms a very robust passphrase that will defeat all automated cracking software.
- Staff should use a different password for their email account.
- Remind homeworkers never to use personal email accounts for work-related matters.
- Homeworkers must never store business-related documents in their personal cloud storage.
- Remind staff never to provide login credentials in response to an email request, and to treat all emails that ask them to verify their credentials as fraudulent.
- Instruct staff to ignore calls to action in unsolicited emails regarding COVID-19 subject matter.
- Homeworkers must never leave written or printed documents in shared or unsecured locations.
- Even when at home, your staff must log off and disconnect when not using the corporate network.
- If one of your workers has been the victim of identity theft or fraud, advise them to change all of their passwords immediately and place a credit freeze on their credit reports. This will prevent anyone from opening fraudulent credit accounts in their name.
- Introduce two-factor authentication wherever possible.
- Seek and follow guidance from authorities such as the NCSC and CISA.
The pandemic is catastrophic enough as it is. Don’t fall victim to the morally-bankrupt cybercriminals trying to exploit this global disaster.