Coronavirus phishing scams proliferate
It’s no surprise to see hackers taking advantage of the confusion around the coronavirus pandemic to do their worst, including preying on the estimated 75 million people suddenly working from home.
But the numbers are nonetheless hair-raising.
Researchers at Barracuda Networks, which provides network security to 220,000 corporate customers, reported Thursday that the number of coronavirus-related email attacks began increasing in January. Then, in the first three weeks of March, it exploded. The volume of such attacks spiked 667% from February to more than 9,000 incidents.
The company has not seen anything on this scale since the 2008 financial crisis.
“This is all fear driven,” said Fleming Shi, chief technology officer at Barracuda Networks. “People are scared or learning about the truth every day on the news, and the bad guys are weaponizing it. They see it as an opportunity.”
Between March 1 and March 23, Barracuda detected 467,825 spearphishing email attacks, and 9,116 of those detections were related to COVID-19. In comparison, the company detected 1,188 coronavirus-related email attacks in February and just 137 in January.
“A lot of times [phishing attacks are] seasonal,” said. “This time of the year, usually it's tax-related scams.”
Of the coronavirus-related attacks detected by the company through March 23, 54% were scams, 34% were brand-impersonation attacks, 11% were blackmail, and 1% percent were business email compromise. Only a couple of years ago, business email compromise was a top concern for bank chief information security officers, because hackers were using it to successfully carry out fraudulent wire transfers.
In the scams, some cybercriminals are looking to sell coronavirus cures or face masks or asking for investments in fake companies that claim to be developing vaccines. Others are asking for donations to fake charities.
Goals of the attacks ranged from distributing malware to stealing credentials and translating those accomplishments into financial gain. One new type of ransomware is brazenly called CoronaVirus.
Hackers are playing on fear, uncertainty and even sympathy stemming from the COVID-19 situation, Barracuda researchers said. One blackmail attack claimed to have access to personal information about the victim, know their whereabouts and threatened to infect the victim and their family with coronavirus unless a ransom was paid. Barracuda detected this particular attack 1,008 times over the span of two days.
The malware these criminals are injecting into users’ computers through their phishing emails tends to be similar to the malicious software banks are used to being targeted with, researchers said.
One is Emotet, a popular banking Trojan that tries to find and steal sensitive and private information like online banking passwords. Another is LokiBot, malware that tries to steal login credentials and data.
The next level of attacks will more directly threaten people's financial well-being, Shi predicted.
“This is going to be a long-lasting battle,” he said.
Hackers that use phishing tactics are no longer using attachments as much as they used to, Shi noted, because email filters have gotten better at discovering malicious attachments.
They are using knowledge gleaned from victims' email activity to conduct highly targeted spearphishing and conversation hijacking.
“Once a conversation has been hijacked, then the social engineering becomes very intimate,” Shi said. “The conversation and the response are very believable.”
What banks are reporting
In the financial industry, the numbers being reported are not as alarming, but they’re growing.
Banks voluntarily report security threats they see to the Financial Services Information Sharing and Analysis Center. The FS-ISAC received 15% more reports of coronavirus-related phishing attacks in February and March than it did in November, December and January. The group did not share absolute numbers.
Steven Silberstein, the center's chief executive, said the increase could be a result of members being hypervigilant and proactive about sharing information about COVID-19-related phishing attempts.
Banks do not catch all phishing attempts, so their voluntary reporting does not paint a complete picture. For any company, it can take months for a security team to realize a phishing attack has successfully penetrated a network.
The FS-ISAC has also seen an increase in COVID-19-related “smishing” attacks on banks. These are devious text messages that purport to be from government agencies or banks, with COVID-19 as the theme.
Malicious websites are also an issue for banks in the coronavirus crisis. Silberstein said more than 81,000 domains have been created related to COVID-19 since the new year, and most of these are considered as high-risk for fraud or malicious content.
About 100 of these dangerous websites deal with banking, and the bulk of these were created just in March. The group did not share specific examples.
“We expect this trend to continue as COVID-19 impacts economies, workforces and livelihoods in the near future,” Silberstein said.
Ransomware trending, too
Beazley Breach Response Services, which helps breach insurance customers like banks investigate and mitigate hacking attempts, also issued a report on security threats last week. It found that ransomware rose in 2019. Its clients reported 775 ransomware incidents in 2019; 16% of these were at financial institutions.
“The ransomware trend is its own pandemic because it's not going away,” said Katherine Keefe, the head of Beazley. “The criminals have decided they can make and have made a lot of money on it.”
Ransomware typically enters the system through either a successful phishing attack or through an improperly secured remote desktop.
More than 20 vulnerabilities have been identified within the remote desktop protocol many companies use to let employees access computers. Companies that are lax about patching give hackers an easy way to break in. Beazley’s researchers recommend requiring the use of a virtual private network with multifactor authentication and allowing only whitelisted internet protocol addresses to connect via remote desktop. They also recommend forcing users to reset their passwords at regular intervals, not letting people recycle passwords and training employees to recognize and report suspicious email traffic.
“Multifactor authentication is really key,” Keefe said. “Especially with people remote working, systems administrators really ought to only be able to access systems via a system that's protected by MFA.”
The next biggest defense against ransomware is making sure that a financial institution has backup that is separated from the rest of the network.
“The backup is going to be very useful if there is an inevitable attack, to allow the bank to restore its own data, so they're never in a position of having to rely on the criminals to restore the data after paying a significant ransom,” Keefe said.
The recent ransomware attack on Finastra will not be the last on a big bank-technology vendor, Keefe warned.
“The attackers are realizing that managed service providers and outsourcers many organizations depend on to run their business are the right target for a ransomware attack because the attack can bring down the systems of the dependent clients,” Keefe said. “We're seeing a lot of that, where attackers are putting some thought into who a ripe, vulnerable target would be.”
Vendors will feel pressure from the customers that rely on them to do something quickly.
“That might lead the vendor to be more inclined to pay a ransom than maybe they otherwise would if it was just their own system that was impacted,” Keefe said. “For example, they might have more time to examine their own backup program to see if they could restore their encrypted data themselves. But if they've got hundreds of clients who are hammering at them to do something, do something, do something, then there's a potential decision that could be made under pressure to pay the ransom. I think the criminals know that.”
The phenomenon of customers working from home compounds the risk.
“Companies are racing to set their staffs up to be able to work at home and perform functions at home that they otherwise would perform inside of the bank and [are] setting up remote working and maybe doing so in a way that's not taking information security into consideration,” Keefe said. “You have small companies who are running to Best Buy and buying a router to get their employees set up at home.”
Some companies are not implementing multifactor authentication and other firewall protections that could assist in making the remote work a little more secure, she said.
“The U.S. and other countries have reverted almost overnight to homeworking,” Keefe said. “That's a whole new phenomenon that can and will create new opportunities for criminals to take advantage of.”
Tom Miller, CEO of ClearForce, emphasized the cybersecurity danger of having people work from home who are under several kinds of stress, including financial stress.
“Bad actors are looking to exploit the situation,” Miller said. “You've got a super vulnerable target right now, which is individuals under stress and outside the eyesight of organizational leadership. You have individuals that have been trained six ways from Sunday not to click on a link or open a document, but now all of a sudden they're sitting there and they're checked out, because they're worried about their financial situation. They've got a spouse that's lost half their income. They're watching the stock market and not paying attention. So they make mistakes that normally they'd been trained not to, but their head's not in the game for obvious reasons and that’s opening the sector for bad people to get in.”
Criminals are using LinkedIn to analyze who does what in organizations, Miller said.
“They're understanding based on job role who has access, and they're finding vulnerability, and they use that vulnerability to approach and exploit and then get themselves inside the perimeter,” Miller said. His company’s software monitors employees and alerts organizations to behavioral red flags.
“The big difference between today and three weeks ago is, supervisors and leaders can't look eye to eye with their employees,” he said. “It becomes really difficult to pick up on early indicators and red flags that maybe you had at least had a chance of noticing when you could walk down the hall and pop your head in the office or cube or have that more casual level of interaction that you can't have now.”
Miller says that even after the pandemic is over, there are still likely to be many people working from home.
“People just don't think it's going to snap back to where it was,” he said. “It's hard to know what that level of difference is going to be, but it's going to be different.”