Johannesburg, 16 Apr 2020
Cyber criminals have never been known to waste the chance to take advantage of a crisis and the COVID-19 pandemic is no different. With people across the globe nervous about the impact on their health and livelihoods, cyber attacks using this as a cover have dramatically increased.
Brian Pinnock, MEA Director, Sales Engineering at Mimecast, explains that of the millions of spam e-mails its systems filter each day, around 15% are currently related to COVID-19. “This level of focus by cyber criminals is something that we’ve never seen before. In situations where there is a crisis in a particular country or region, such as the Australian bush fires, we see a spike in the volume of activity around that topic, but the global nature of this crisis has ramped this up to unprecedented levels.”
This is not something that happened overnight. “At the start of the outbreak in Wuhan we began to see e-mails emerging purporting to be from doctors giving advice, and as more and more governments started issuing guidance, the phishing e-mails began to impersonate these notifications. At the moment, some of the focus has shifted to the financial side of the crisis, with the e-mails taking advantage of financial assistance schemes and refunds for cancelled air tickets,” he says. “With many airlines cancelling flights, criminals are looking to use this to gain access to financial information or even airline loyalty programmes, especially considering that air miles/loyalty points are an alternative currency in their own right.
“What we are seeing through these mails is the constant evolution of tactics in order to target the fears and anxieties of vulnerable people.”
He adds that while it’s impossible to track how successful these strategies are, the tactics employed by cyber criminals evolve quickly to move away from techniques that aren’t working while focusing on those that are. “The continued focus on COVID-19-related content would indicate this is working for these criminal enterprises.
Looking for isolation victims
“There are two areas that make this crisis fundamentally different from any other. The number of people who have been confined to their residence to restrict the spread of the virus and the rapid shift towards remote working,” says Pinnock.
He explains these two trends are being specifically targeted by cyber criminals. With people unable to go out, the amount of people accessing streaming and video-conferencing services has risen dramatically. Criminals use phishing e-mails to steer people towards spoofed versions of real sites like Netflix and Zoom, asking people to log on to these fake sites. Mimecast’s Brand Exploit Protect team found over 700 suspicious domains impersonating Netflix in less than a week. Because people typically reuse passwords across multiple sites, criminals then test the username and password combinations across other sites looking to access information that could be monetised. More sophisticated spoofing operations impersonate home delivery services allowing them to capture credit card details directly.
Remote workers at risk
The other target is people who have just started working from home. These users are accustomed to being protected from cyber criminals by corporate infrastructure. “In the office there are layers of security covering the multitude of ways that criminals could access sensitive information, but in a work-from-home environment some of these aren’t accessible,” says Pinnock. “Even when users connect to their corporate network via VPN, they often disconnect when the network connection appears to be slow or they want to access a site that is blocked by a corporate Web filter.”
They also share the home network with other devices, including IOT devices and personal computers, which typically don’t offer the same level of protection their company-supplied PC would. Criminals can use this gap to install malware, raising the risk of a ransomware attack on the company.”
With the initial rush to get people working from home now mostly behind companies, Pinnock says IT teams should be making sure their core security policies are properly implemented. This includes areas such as ensuring passwords are regularly changed, users consistently connect via VPN and Web security systems are in place and active. With the possibility of many users working remotely for extended periods of time, it may be necessary to revisit security policies with a focus on ensuring remote workers don’t create additional risks.
Share