There has been a steady rise in COVID-19 scams and attacks since the novel coronavirus pandemic went global in February. Traditional cybercriminals, as well as APT groups, have been exploiting the situation and will likely continue until COVID-19 is no longer a front-page news item. The attack techniques look familiar: phishing, vishing, malicious apps, malicious domains, and crafty SEO techniques, along with social engineering techniques designed to entice people to click on links or attachments to install malware or steal login credentials.
Considering the rapid deployment of legions of (newly) remote workers now is the time for enterprise security teams to educate their users about these scams and attack techniques. This way, they don't get scammed or compromised on their work systems, which could and lead to a data breach or lost data at your organization.
The prevalence of malicious COVID-19 “informational” Websites
Since the beginning of the pandemic, fraudsters have turned to craft fraudulent websites to lure the unsuspecting to download malware. As cybersecurity investigative reporter Brian Krebs wrote last month, several active attacks are using interactive dashboards that resemble legitimate COVID-19 information sites, including those being sold in several online forums.
"Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to use the seller's certificate," Krebs reported.
“It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. The “map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!”,” Krebs reported.
In a joint advisory from the U.K.'s National Cyber Security Centre (NCSC) and the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), the agencies announced that there has been an increasing number of scammers attempting to exploit the COVID-19 pandemic. “In the U.K., the NCSC has detected more U.K. government branded scams relating to COVID-19 than any other subject. Although, from the data seen to date, the overall levels of cybercrime have not increased, both the NCSC and CISA are seeing a growing use of COVID-19 related themes by malicious cyber actors,” their advisory stated.
The advisory is available here.
That COVID-19 phishing scams are on the rise
In recent weeks COVID-19 related phishing emails have been circulating everywhere. Some try to trick finance people into providing purchase order information; others are related to government aid pertaining to the financial impact of the pandemic.
Not all of these emails are easy to identify. Some of these phishing attacks will prove costly this year, especially with all of the confusion and change in routines due to so many workers going remote.
Of course, every time there is some major public event, criminals set out to take advantage, and COVID-19 is no exception. And we are seeing attacks that are targeting parents, attacks using official government agencies to attempt to scare people into action, and other social engineering techniques. These include claims that children have been exposed to novel coronavirus and that they may need to be quarantined, and seek personal information that can be used for identity theft.
Potential COVID-19 Charity Scams: give to the needy, not the greedy
Whenever there’s a humanitarian crisis of any kind, scammers come out with SMS, voice, and phishing scams, they will try to lure the giving. The FTC has warned about potential novel coronavirus charity scams as the scamsters set out to take advantage of those with a desire and ability to help financially.
To help consumers avoid getting scammed, independent charity evaluator Charity Navigator provides some tips to help avoid such crooks. They include checking the status of the charity’s registration, something that can be done by looking up their 501)c)3 status (if based in the U.S.). They also suggest investigating the charity's history and background, as well as searching Google for potential clues. Charity Navigator's advice is available here. The FTC provides guidance here. They are worth sharing with staff and contractors.
The danger of healthcare and government assistance scams
Scammers are angling themselves to get a piece of peoples' novel coronavirus relief checks, something the FTC is also warning users about. The FTC provides a series of steps they can take to avoid such scams, including not giving anyone any "sign-up" information for the relief check, or setting up the relief check with anyone but the IRS, and to ignore claims that are too good to be true, such as anyone claiming to have early access to the cash. They don’t. The FTC’s full guidance is available here, and while the advice is US-centric, it applies everywhere.
The increase in business email compromise scams
Coronavirus will also be used as a central part of Business Email Compromise scams. Recently, the FBI, the CDC, and the FTC also issued warnings about phone scams and phishing attacks from fraudsters who pretended to be charity workers or workers from some government agency. They sent emails with links to websites with malicious downloads and attachments so that they can take control of the user endpoints.
As Sulviu Stahie wrote in FBI Issues Warning about BEC Scams Using Cloud-based Email Services, such attacks have netted $2.1 billion in the past five years.
Unlike standard phishing attacks, BEC attacks target business users specifically, typically business users that conduct fund transfers. In these schemes, attackers claim to be with a vendor or other organization affiliated with the organization and try to socially engineer financial information or login credentials from their targets.
The FBI recently shared several incidents of BEC attacks, including a financial institution that received an email ostensibly from the CEO of a company that had previously scheduled a $1 million transfer. They requested the transfer be made sooner than originally planned: "due to the Coronavirus outbreak and quarantine processes and precautions." The email used by the attackers was almost identical to the CEO's actual email address. Only one letter changed.
In an earlier alert, the FBI advised that the best way staff can avoid being tricked by a BEC attack is by getting personal and “verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone,” Special Agent Martin Licciardo said. "Don't rely on email alone."
The FBI cited other useful BEC countermeasures:
- Create intrusion detection system rules that flag emails with extensions that are similar to the company email. For example, the legitimate email of abc_company.com would flag fraudulent email of abc-company.com.
- Create an email rule to flag email communications where the "reply" email address is different from the "from" email address shown.
- Color code virtual correspondence, so emails from employee/internal accounts are one color, and emails from non-employee/external accounts are another.
- Verify changes in vendor payment location by adding additional two-factor authentication, such as having secondary sign-off by company personnel.
- Confirm requests for transfers of funds by using phone verification as part of two-factor authentication; use previously known numbers, not the numbers provided in the email request.
- Carefully scrutinize all email requests for the transfer of funds to determine if the requests are out of the ordinary.
While COVID-19 remains in the news and a large number of new remote workers continue working remotely, scammers are going to continue to try to exploit fear, confusion, and a desire for information. Organizations need to deploy all of the mitigating security controls they reasonably can. But they also keep employees aware so that they maybe reconsider before they act on the next phishing, vishing, or SMS attack, tempting malicious app download, or social engineering techniques attackers use to trick them.