Phishing scams on the rise amid COVID-19
With a vast number of corporate employees working from home, digital threat actors or hackers have indulged in Phishing attacks more than ever, exploiting fear of the ceaseless spread of Covid-19.
With the rapid spread of Covid-19 across the globe, many countries have shut down public places as a precautionary measure. Many countries have shut down educational institutes, offices, and canceled public gatherings. Some countries in Europe, where the infection rate is high have escalated the lock down to even a greater level. As many organizations in comparatively less infected countries have been advised to reduce their workforce, many are deciding whether or not to allow employees to work from home, but a new cybersecurity threat looms.
‘Recorded Future’ has reported the registration of thousands of fake coronavirus related websites claiming to provide updates on the spread of the disease, its control and treatment. Tapping into the fear surrounding the pandemic and the lack of ideal security measures for people working from home, threat actors are exploiting the situation with the spread of malware through Phishing.
Security researchers at Mimecast Threat Intelligence have studied more than 300 variants of Phishing campaigns that target remote workers that appear to be authentic health details offered by trusted healthcare organizations. The most common variants are either a map representing the spread of infection or a list of Coronavirus precautions and tips. Uploaded in OneDrive, the scam prompts the user for their login credentials, counting on human error as they give into their fear or curiosity.
In addition to these types of Covid-19 Phishing scams, Kaspersky lab has ironically discovered a new strain of COVID family pathology, a cookie trojan termed “Cookiethief”. This trojan tends to acquire the root rights for the victim’s device first, and then transfers cookies used by their browser to the attacker’s system. For Facebook, the use of the stolen cookies can be made to access a unique session ID, enabled by the Facebook app on Android that identifies and grants access to the user without a need for password and login; thus, enabling the attacker to bypass the authentication.
Multiple Phishing cases and a spike in hacker activity are keeping up with the novel coronavirus spread, as reported by various national and international cybersecurity institutions.
‘Skynew’ reported the targeting of healthcare workers by cybercriminals via email scams, luring them to register for a fake survey about coronavirus, aimed at obtaining their personal information. Similarly, ‘Check Point’ reported in its research that a Mongolian public sector was targeted with Phishing emails trying to appear as coronavirus briefings published by the Mongolian Health Ministry. These Phishing emails are generally followed with ransomware attacks, such as in Illinois where its public health agency reported a ransomware attack by a relatively new ransomware called the ‘NetWalker’ resulting in its main website being disabled. Threat actors are exploiting the current situation to satisfy their financial desires or other malicious causes. The current COVID pandemic is being utilized by these attackers to bank on the fear of people and spread false and misleading information to sow distrust.
The aim of such attacks differs widely, from obtaining funds to non governmental agendas. The top sector being targeted is the business sector, which is currently in a slump in many major countries. Due to the lock down and self-quarantine rules, many new people are working from home and these endpoint users working away from the organization's security structure tend to be more easily penetrable.
As Phishing emails were common and recurrent since long before coronavirus hit, a question might arise, how is it different this time? Naturally there are many security measures against scams that organizations typically apply on a daily basis, but these are not normal times. During a pandemic crisis many organizations and government bodies are focusing their attention towards fighting the spread of the disease; hence, stretching thin their manpower and resources committed to cybersecurity. And, like any other operation, cybersecurity is also dependent on many other organizational branches and processes to form a network of security operations; thus, even the closure of any one vertical will affect the entire network's efficiency. In European countries where the shutdown is very intense, and majority of IT employees are working from home, the only ways to carry out work is either the availability of work programs in the cloud or to connect to the office network through VPN (Virtual Private Network).
Cloud: Cloud computing is at its core large server farms present at physical locations, collecting and distributing data throughout the globe. It is ubiquitously available for users to access information at any given time or place using a web browser. The application of cloud is flexible for organizations as it is sourced and maintained by cloud vendors, who also find the maintenance of cloud more affordable as a single farm could be used to host the applications and information from multiple clients. Also, as the cloud is hosted by specialized vendors who are or have employed cybersecurity experts, cloud security is considered one of the most formidable security features across the cybersecurity landscape. Thus, companies that incorporate cloud into their business process tend to migrate all of their workload to cloud and provide its employees with login access to these portals. Though cloud computing is spreading across the digital market like wildfire, there still exists many small and medium organizations that have not yet adopted it, and still use private servers for running business related applications and storing information.
VPN: Virtual Private Network, as its name suggests, are channels created virtually to connect users to private networks. It is more like extending the private network across the public network to connect to the user. Even the ISP provider does not have any control or knowledge of its traffic. It allows employees and branch offices to directly connect to the network of the main office. VPN does not make network connections completely anonymous. Information about the users at the end points of the VPN is plainly visible, but the data being communicated between these users is private. VPN provides robust security features using tunneling protocols or cryptography where authentication protocol of valid users is required to be satisfied for secure connection. Different VPN vendors provide a different combination of tunneling protocols such as PPTP (Point to Point Tunnelling Protocol), L2TP (Layer Two Tunnelling Protocol), IPSec (Internet Protocol Security), etc. and encryption (symmetric and asymmetric) such as AES, RSA, Blowfish, Diffie-Hellman, etc.
Regardless of cybersecurity measures in place, even a well secured network can be hacked if the user herself is not aware of cybersecurity threats and their prevention. Like the examples above where Phishing attacks prompted users to log into the malicious OneDrive, which siphoned their username and password, credentials for both cloud and VPN could be easily obtained by dropping sniffers and decryption tools into the user’s network end. Where the sniffers try to search for logs or files, credentials might have been stored, and decryption tools may try to work on the weak symmetric ciphers. So it’s vital that users become the first line of defense to combat Phishing attacks.
The prevention of Phishing for a non-technical person is improved with anti Phishing education and awareness provided by many reputable organizations such as OhPhish, which provides education and training for an organization’s employees against Phishing attacks. Only understanding Phishing theoretically is not sufficient because, even if a person knows Phishing is done via malicious/spam emails, one cannot possibly differentiate between a benign and malicious email. Thus, practical experience of Phishing attacks and how to tackle them is very helpful. OhPhish solutions provide virtual simulations for Phishing attacks by sending employees Phishing emails and monitoring their response to it, based on their result-tailored education and mitigation knowledge.
As the user her/himself is the first line of defense against any cyberattack, the knowhow to tackle Phishing attacks is highly important. Anti-Phishing education organizations could not only help to educate the employees of any organization, on ways to recognize and tackle Phishing emails, but offer the advice and training of security experts along the way. The training the of IT people regarding different types of Phishing modes can be done as:
The immediate precautions against such threats involve securing the cloud and VPN access at both remote systems and the central network, along with immediate creation of security policies and guidelines that help in educating the remote workers on handling and mitigating such attacks. Whereas the long-term policy dictating security responsibilities in such situations in future could only be achieved through assisted education and awareness programs.
Q. What is Spear Phishing?
A. Spear Phishing is a targeted attack where the attacker conducts research on the victims before sending a personalized message or email.
Q. How Spear Phishing is different from Phishing?
A. While Phishing is a broader term, Spear Phishing emails are a targeted approach, where the attacker targets either a single recipient or a bulk of recipients based on the same characteristics.
Q. What are different Phishing scams?
A. There are multiple types of Phishing attacks like Email Phishing, Spear Phishing, Whaling, Angler Phishing, Smishing and Vishing.