Cybercriminals hope to go unnoticed. They often work in the dark depths of the Internet, but now, they are showing their true colors in the COVID-19 pandemic. Attacks have always been socially engineered to prey on people’s fears, habits, and ultimately, their bank accounts, but the exploitation in the COVID-19 era is nothing short of sinister. In the short time since America has felt the effects of this pandemic, there have already been countless phishing attempts with COVID-19-specific messaging. These attack methods are nothing new, but there is an updated approach that many threat actors are using when it comes to who and how often they attack.
What’s New
Perhaps what’s most shocking in the development of COVID-19-themed attacks is the behavior of larger ransomware organizations themselves. It’s nearly impossible to advocate for groups like “Doppelpaymer” and “Maze”; they are large organizations that deploy and facilitate the payments of ransomware. However, recent statements regarding the changes they plan to make during COVID-19 seem genuine. Maze’s statement is as follows:
Referring to their victims as “our partners” and their Bitcoin ransom as “exclusive discounts” is not only misleading; it can be seen as yet another attempt to lull potential “partners” into a false sense of security. As the amount of pandemic-related phishing attempts increases, these known organizations declare the exact opposite. Official statements like this serve as poor proof of their sincerity, especially considering that a sensitive data leak still occurred five days after this statement’s release. Despite what may come directly from the source’s mouth, large ransomware organizations are still attacking valuable assets.
Flooding a healthcare website’s traffic, churning out malicious emails on behalf of the CDC, and even targeting the World Health Organization has already been reported. The incentives remain the same for threat actors — they still seek either money or disruption — yet the timing of their actions put lives at risk. While it is certainly never okay to threaten the infrastructure of a healthcare organization, to deploy these attacks during a pandemic is egregious. Software is critical infrastructure, and without proper precautions, COVID-19 is proving to attract too many attacks in too little time.
The attack on other industries during this time is just as prevalent. While social distancing and working from home has rightfully been adopted in the name of health and safety, many organizations now find themselves in danger of remote cyber threats. The security of a contained office network — complete with devices that have been carefully managed and accounted for — is no longer an option for some companies. Here are some of the most commonly exploited paths used by threat actors in this context:
- An infected personal computer from a remote employee accesses a company network. The company network is now infected with whatever came from the personal computer.
- Home routers are left un-updated and unpatched; therefore ripe for exploitation.
- A lack of Multi-Factor Authentication puts networks at risk. While rare, it is possible to harvest credentials online, leaving an MFA-less network vulnerable to a threat actor with the correct passwords.
For individuals who still log in to their devices strictly for personal use, there is a storm of phishing emails that cling to COVID-19 for sensational, “click me” purposes. Procedures known as “open redirects” (where one website automatically directs to a malicious one) and “business email compromise” (when an email appears to be from a trusted organization) are the most common in phishing attempts.
What’s new in this era is the messaging within the emails: the CDC asks for donations in Bitcoin. Your COVID-19 Tax Relief Documents are available on this website. A doctor from the World Health Organization has “drug advice” if you click here. This is social engineering at its worst — and unfortunately, it’s more likely to work in these uncertain times. People haven’t become more gullible in the past three and a half months; they’ve become used to big changes in small messages. When the next news headlines could be a matter of safety or sickness, it’s much easier to believe information that appears right in your inbox.
What We Have Seen Before
While it is true that these are unprecedented times, it’s a comfort to know that threat actors still deploy their attacks using mostly traditional, predictable methods. In 2019, 92 percent of all malware was distributed via email. As far as what can be seen in more recent attacks, even the pandemic-specific ones, delivery methods haven’t changed much.
You may not have complete control of what messages end up in your inbox, but you can still control which messages, attachments and information you share in any correspondence. The best practices in cybersecurity still stand, and they are still effective in protecting your networks — even if threat actors may appear more often than they have in the past.
The content of many phishing emails is also in line with what’s been seen before. Opportunism is not new for threat actors, and they are still composing messages that seem very timely, very urgent, or very informative. Emails have always been socially engineered to reflect major news headlines, and in times of global distress, it’s never been easier to solicit emotions that convince people to “click here.” This unique environment is truly too good to pass up for many threat actors, no matter the ethical implications.
Threat actors are also interested in essentially the same information that they’ve scouted in the recent past. While it is unforgivable to rob a hospital of its resources, credentials and security, it is sadly not a new trend. Healthcare organizations have been top-of-mind for threat actors due to their highly regulated, highly valuable data, which is now valued at $429 USD per record stolen. Phishing emails claiming they have a “cure” or a long-awaited “test result” have proven to be quite successful with or without a pandemic present as well.
Source: https://www.agari.com/email-security-blog/business-email-compromise-bec-coronavirus-covid-19/
The incentive for threat actors to attack health organizations, while much stronger in a public health crisis, is still essentially the same. This data has always been valuable. People have always responded urgently to their traps. Hospitals have always been at-risk, it’s just an extreme increase in attacks that have proven especially devastating.
The fight to completely protect healthcare organizations from ransomware and other attacks has never been evenly matched. Don’t be mistaken — there are amazing experts in the field of cybersecurity, but they are often outnumbered by automated phishing attempts that can deploy by the thousands. In response to threat actors who are taking advantage of COVID-19, “white hat” groups have united in trying to protect the healthcare industry. Threat actors have proven they have no ethical boundaries, but luckily, the methods used by security experts have proven to still be effective against attackers. The resiliency and motivation of the people who bring attackers to justice has even increased; there is a newer, stronger willingness for cybersecurity professionals to collaborate against these frequent threats.
What You Can Do
While many aspects of everyday life are far beyond any one person’s control at the moment, there are some guidelines that are still relevant when considering cybersecurity. To avoid the bombardment of COVID-19 themed attacks, be sure to rely on trusted news sources directly. Organizations like the WHO and the CDC certainly have enough on their plate, yet they’ve also taken on the responsibility of informing the public of their cyber policies. In general, you shouldn’t trust emails that attach unexpected documents, request credentials, or offer any lotteries or prizes — even if they appear to be from these organizations. These resources also offer opportunities to report any suspicious messages you may receive.
COVID-19 has certainly changed the fabric of society. While the journey ahead is uncertain, it’s a comfort to reflect on what we know and what we can control. Hackers will continue to exploit people’s fears. Hackers will even continue to threaten critical infrastructure. One thing is certain: staying aware of the risks that lie ahead puts you in a better position of not falling for them tomorrow.
