Concern over the Coronavirus (COVID-19) has dominated global headlines. And now cybercriminals are using all tools at hand to take advantage of this concern to spread phishing and social engineering scams and misinformation. 

Almost immediately following the emergence of confirmed infections throughout the world and the U.S., the Digital Shadows Photon Research team found multiple examples of email phishing campaigns, fraudulent goods, and disinformation campaigns, all geared toward exploiting people’s fear and uncertainty for personal gain. 

Among the findings, cybercriminals are aiming to exploit people’s fear and uncertainty using three core tactics:

  1. Phishing and social engineering scams
  2. Sale of fraudulent or counterfeit goods
  3. Misinformation

While COVID-19 itself presents a significant global security risk to individuals and organizations across the world, cybercriminal activity around this global pandemic can result in financial damage and promote dangerous guidance, ultimately putting additional strain on efforts to contain the virus, warns the research team. 

Most notably, says the research team, reports of email phishing campaigns using COVID-19-related lures surfaced almost immediately after confirmed infections began increasing in January 2020. Health organizations such as the World Health Organization (WHO) and US Centers for Disease Control and Prevention (CDC) have been prime targets for impersonation due to their perceived authority: Attackers have been observed tempting victims with URLs or document downloads using promises of important safety documentation or infection maps, such as the Johns Hopkins Center for Systems Science and Engineering (CSSE) map. 

According to Digital Shadows, in February 2020, a user initiated a thread on the Russian cybercriminal forum XSS to advertise a method to deliver malware via an email attachment disguised as a John Hopkins map of the virus’s outbreak. The offering was priced at $200 for a “private build”, and if buyers also required a Java CodeSign certificate, the price would be $700. 

Another phishing scam, as detailed by Sophos, impersonated an official email correspondence from the WHO, which contained a link to purported document on preventing the spread of the virus, but redirected victims to a malicious domain which attempted to harvest credentials. But, organizations like the WHO or CDC are not the only ones at risk of being impersonated. "Since January 2020, the number of COVID-19-related domains registered has increased significantly: Digital Shadows has identified over 1,400 domains registered over the past three months. Malicious domains can be used to spread misinformation, host phishing pages, impersonate legitimate brands, and sell fraudulent or counterfeit items," notes the blog. 

In March 2020, says the research team,  the UK’s National Fraud Intelligence Bureau (NFIB) reported over 21 cases of COVID-19-related fraud schemes, resulting in losses of over £800,000 in the UK alone. The NFIB cited specific examples which included the fraudulent sale of face masks and sites which promised victims a map of COVID-19 infections near them in return for a bitcoin payment.

Lastly, Digital Shadows warns about the dangers of misinformation, or "infodemic," where COVID-19-related misinformation has primarily been spread via social media and private messaging platforms. However, social media platforms such as Facebook,Twitter and Instagram, and search engines like Google have also manually intervened to help fight the spread of misinformation.  

In addition, Security Magazine spoke to Tom Pendergast, Chief Learning Officer at MediaPro, about the rise of cyber threats as universities, schools, workplaces and other organizations switch to digital learning or work-from-home arrangements to fight the spread of the COVID-19 virus. Pendergast says, "You can count on cybercriminals for one thing: they will jump to take advantage of a crisis. Sure enough, we’re starting to see reports across the media of scams related to the coronavirus. Just today, my mom reported that she saw an invitation to contribute to a GoFundMe effort to support people who have lost their jobs as a result of this crisis. Imagine my pleasure when she then said: “But I figured there was no way I could tell if this was a scam or not, so I just deleted it.” You’ve been listening!"

"That skeptical turn of thought is one we all need to apply with special urgency these days: it you can’t be absolutely sure a request for help or even a request to click a link is legitimate, the best thing to do is to keep scrolling, turn away, or delete it," adds Pendergast. "Now more than ever, we need to turn to trusted sources of information to be sure we’re getting the straight story. As for enterprise security, they’re always working on keeping out bogus information from their network. But with people working from home more these days, they’ve got to remind people to use a VPN to take advantage of these network protections.”

Chris Hazelton, Director of Security Solutions at Lookout, notes that working from home or online education programs are not new. "However, a large, immediate migration of people from enterprise and university networks that are closely monitored and secured, to largely unmonitored and often unsecure home WiFi networks, creates a very large target of opportunity for cybercriminals. These users are outside the reach of perimeter based security tools, and will likely have higher exposure to phishing and network attacks. Cyberattacks are going to leverage the coronavirus where they can, attacks that take advantage of Maslow's hierarchy of needs, concern for personal safety and loved ones, will have significant success," says Hazelton. 

"Students and workers remaining at home, or possibly stranded in a remote locations are going to be heavily dependent on their mobile devices. Mobile attacks are particularly effective because they often trigger immediate responses from recipients - instant communication platforms like SMS, iMessage, WhatsApp, WeChat, and others," Hazelton concludes. 

Joseph Carson, chief security scientist and Advisory CISO at Thycotic, told Security Magazine that “Cybercriminals will always take advantage of global catastrophes. They will typically try to exploit those who will attempt to provide financial support and will launch many fake websites, such as Coronavirus tracking websites or medical advice websites, in an attempt to get victims to transfer money to help the victims.  At a time like this, where many events are being cancelled, cybercriminals will attempt to take advantage of this by luring them with phishing scams on fake news, refunds, changes of schedules and many other ways to get victims to give up their credit card information or credentials. This is common for any catastrophe where cybercriminals can use phishing scams for financial fraud.”

For more detailed information, please visit the Digital Shadows blog.