As the COVID-19 pandemic wreaks havoc around the globe, cybercriminals appear to be reaching new lows in their latest efforts to exploit personal fears to launch phishing attacks.
A report published today by Barracuda Networks notes some of these attacks are becoming quite personal. One instance of a blackmail attack claims to have access to personal information about the victim and know their whereabouts and threatens to infect the victim and their family with coronavirus unless a ransom is paid. Barracuda detected this attack 1,008 times over the span of two days.
Overall, the Barracuda Networks report finds there has been a steady increase in the number of coronavirus COVID-19-related email attacks since January. Between March 1 and March 23, Barracuda Sentinel, a monitoring platform infused with artificial intelligence, detected 467,825 spear-phishing email attacks, with 9,116 of those detections were related to COVID-19.
Barracuda Networks CTO Fleming Shi said while that may only represent 2% of all attacks it is a harbinger of thing to come. Many of these attacks are text-based, so they often evade traditional endpoint protection tools, noted Shi.
The Barracuda Networks finds 54% of those attacks were scams designed to, for example, fool people into donating money to combat COVID-19. Another 34% involved brand impersonation attacks selling, for example, fake masks, while 11% were blackmail and 1% were a business email compromise.
In some instances, the goal of the attack clearly is to steal money. However, many of these phishing attacks are being used to distribute malware at a time when many employees are now required to work from home. Many of those employees are using machines they own to work on sensitive corporate data while at the same time shopping for supplies. Shi said it’s important that cybersecurity professionals remind employees to segment those activities as much as possible. Ideally, employees should have separate machines for work that have access to a virtual private network (VPN), while relying on a tablet or smartphone for personal business, he said.
Employees working from home should also be encouraged to turn two-factor authentication on in their browsers to make sure they are accessing legitimate sites. Many of the phishing attacks purport to be sharing important COVID-19 updates from sites that mimic the World Health Organization (WHO).
Jen Miller-Osborn, deputy director of threat intelligence for Unit 42, the cybersecurity research arm of Palo Alto Networks, reported that in the past few weeks more than 100,000 of domains have been registered containing terms including “covid,” “virus” and “corona.” Not all of these will be malicious, but all of them should be treated with suspicion, advised Miller-Osborn. Unit 42 also has identified malicious emails using subjects containing COVID-19 and related keywords carrying remote administration tools (RATs) such as NetWire, NanoCore, and LokiBot.
There have also been multiple cases reported of malicious Android applications that claim to offer information about the virus, she noted.
Although phishing attacks that leverage catastrophic events to entice users to click on a link or download a document are hardly new, Miller-Osborn said the COVID-19 pandemic is unique in that it’s a global event that affords cybercriminals an opportunity to launch phishing attacks at unprecedented scale.
Carl Leonard, principal security analyst for the X-Labs unit of Forcepoint, said now is not the time for organizations to implement new remote work policies. Instead, they should implement the policies they have in place now. Over time, those policies can evolve as cybersecurity teams start to better understand what cloud applications are being employed and where data is actually be stored, he said.
From there, it will then become more apparent, for example, what data loss prevention (DLP) or cloud access security brokers (CASBs) tools might be required, added Leonard.
Longer-term it’s now clear to what degree employees working from home represents the new normal. Whatever the outcome, however, cybersecurity will never be the same.