Cybercriminals are taking advantage of the coronavirus pandemic. An increasing number of malicious cybercriminals are exploiting the current COVID-19 pandemic for their own gains.
In the UK, The National Cyber Security Centre (NCSC) has detected more UK government branded scams relating to COVID-19 than any other subject.
At the same time, the surge in home working has increased the use of potentially vulnerable services, such as Virtual Private Networks (VPNs), amplifying the threat to individuals and organisations.
Cybercriminals are targeting individuals, small and medium businesses and large organisations with COVID-19 related scams and phishing emails.
Cybercriminals rely on basic social engineering methods to entice a user to carry out a specific action.
They take advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade potential victims to open a file (such as an email attachment) which contains malware. Or they try to get users to click on a link or download an app that may lead to a phishing website, or the downloading of malware, including ransomware.
To create the impression of authenticity, they may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization (WHO) or an individual with ‘Dr.’ in their title.
In several examples, they send phishing emails that contain links to a fake email login page. Other examples purport to be from a businesses human resources (HR) department and advise the employee to open the attachment.
Malicious file attachments containing malware payloads may be named with coronavirus or COVID-19 related themes, such as 'Prime Minister discusses budget savings due to coronavirus with Cabinet.rtf.' Again the aim is to pique curiosity or concern.
The NCSC has observed a large volume of phishing campaigns which use the social engineering techniques described above. Examples of phishing email subject lines include:
- 2020 Coronavirus Updates
- Coronavirus Updates
- 2019-nCov: New confirmed cases in your City
- 2019-nCov: Coronavirus outbreak in your city (Emergency).
These emails will contain a call to action encouraging the victim to visit a URL that cybercriminals use for stealing valuable data, such as usernames and passwords, credit card information and other personal information.
Most phishing attempts come by email but the NCSC has observed some attempts to carry out phishing by text messages (SMS).
Historically, SMS phishing has often used financial incentives, including government payments and rebates (such as a tax rebate) as part of the lure. Coronavirus-related phishing continues this financial theme, particularly in light of the economic impact of the epidemic and governments’ employment and financial support packages.
A series of SMS messages use a UK government themed lure to harvest email, address, name, and banking information. These SMS messages, purporting to be from ‘COVID’ and ‘UKGOV' and includes a link directly to a phishing site.
In addition to SMS, possible channels include WhatsApp and other messaging services. Malicious cyber actors are likely to continue using financial themes in their phishing campaigns. Specifically, it is likely that they will use new government compensation schemes responding to COVID-19 as themes in phishing campaigns.
Still the most common form of a phishing attack. Cybercriminals are increasing email activity involving COVID-19 and Coronavirus. The BBC reported that Google is blocking 18 million coronavirus scam emails every day.
You can find out how to spot phishing emails here.
Phishing for credential theft
A number of cybercriminals have used COVID-19 related phishing to steal user credentials. These emails will include previously mentioned COVID-19 social engineering techniques, sometimes complemented with urgent language to enhance the lure.
If the user clicks on the hyperlink, a spoofed login webpage appears which includes a password entry form. These spoofed login pages may relate to a wide array of online services or services accessed via websites.
To further entice the recipient, the websites will often contain COVID-19 related wording within the URL (for example, ‘corona-virus-business-update,’ ‘covid19- advisory’ or ‘cov19esupport’).
These spoofed pages are designed to look legitimate or accurately impersonate well-known websites. Often the only way to notice malicious intent is through observing the website URL. In some circumstances, cybercriminals specifically customise these spoofed login pages for their intended victim.
Exploitation of work from home
Many businesses have rapidly deployed new networks, including VPNs and related IT infrastructure, to cater for the large shift towards home working.
Cybercriminals are taking advantage of this mass move to home working by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software.
They are also seeking to exploit the increased use of popular communications platforms (such as Zoom or Microsoft Teams) by sending phishing emails that include malicious files with names such as ‘zoom-uszoom_##########.exe’ and ‘microsoft-teams_V#mu#D_##########.exe’ (# represents the various digits that have been reported online).
The NCSC has also observed phishing websites for a number of popular communication platforms. In addition, attackers have been able to hijack teleconference and online classrooms that have been set up without security controls (e.g. passwords) or with unpatched versions of the communications platform software.
Cybercriminals are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is sadly no exception. They are using the high appetite for COVID-19 related information as an opportunity to deliver malware and ransomware and to steal user credentials.
Individuals and companies should remain vigilant. For more information on how to protect your staff and your business whilst working from home then subscribe to our blog (enter your email in the top right).