Major events always present optimal opportunities for malware attacks. Malicious actors pounce on elections, holidays and the like to launch phishing and ransomware attacks, sometimes using disinformation campaigns as a lure. So, it's no surprise the COVID-19 pandemic would spark an increase in such threats as well.
Security vendors that track malware threats, including Kaspersky Lab and CrowdStrike, have spotted a surge in phishing attacks using pandemic-related misinformation in the hopes of gaining access to credentials and other personal information or to deploy malware. Experts say existing security defenses, such as email scanning, VPNs and multifactor authentication, may need to change more to adapt to an increase in remote workers and new phishing lures. And, more importantly, users need to be more vigilant and understand how attackers prey on them.
Researchers from Kaspersky Lab and IBM's X-Force saw the Emotet phishing botnet play on recipients' coronavirus fears as early as the end of January. By April, Google reported seeing more than 18 million malware and phishing emails related to the coronavirus daily. Additionally, in early April, the U.K.'s National Cyber Security Centre and the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency released an advisory warning about email and SMS phishing threats using coronavirus as a way to steal credentials or deploy malware.
While malicious actors may be using coronavirus-related news in hopes of increasing the number of victims in campaigns, the customization being done to phishing emails or ransomware files has been limited.
Coronavirus-inspired phishing lures
Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, said his team has seen several coronavirus-themed ransomware variants, but generally, that only meant different file names, coronavirus references in note text or an occasional graphics update.
"Their modus operandi remains the same and typical for any crypto-ransomware, which means the usual prevention measures still apply to them," Sinitsyn said.
Preventive measures include auditing networks for weaknesses, implementing or expanding the use of VPNs, updating software, and educating employees about phishing techniques, according to Sinitsyn.
In addition to educating employees, Deborah Golden, U.S. cyber risk services leader at Deloitte, suggested organizations filter emails with coronavirus-themed content, unusual attachments, pandemic-related domains on commonly abused hosts, name servers and unusual top-level domains.
Coronavirus phishing threats have been evolving to use "recent news developments as content for phishing lures," Golden said.
Initial content focused on a COVID-19 vaccine or cure. "More recently, lures are moving to financial topics in the wake of the economic stimulus package, as malicious cybercriminals lure vulnerable individuals into providing financial, health and other personal information," she said.
In terms of who is behind many of the coronavirus phishing threats, CrowdStrike CTO Mike Sentonas said the attacks have come primarily from China and North Korea, and most have involved highly targeted spear phishing of specific individuals.
Sentonas added his team expects the trend of using health guidance, containment and infection rate news as phishing threats will continue to increase over the next few months, especially with employees increasingly relying on email as they work from home.
CrowdStrike regularly sees cybercriminals use credentials as an initial access vector, so Sentonas recommended fortifying remote network access by enforcing strong password policies, requiring two-factor authentication, ensuring security patches for servers are up to date, and monitoring and analyzing server logs to identify unusual access attempts.
Control in a time of uncertainty
The common theme with these attacks appears to be malicious actors preying on people's desire for control in a time of great uncertainty. In the face of COVID-19, people want reliable news, the promise of a cure, better testing and financial security.
Tatyana Sidorina, lead web content analyst at Kaspersky Lab, said her team has seen coronavirus phishing lures using the promise of fake tests or coronavirus treatments and compensation for those affected by the pandemic. "We also see cybercriminals creating fake charity foundations, where compassionate users may make a donation," Sidorina said.
Most phishing threats have been peddling disinformation by promising help with stimulus checks, according to Brian Reed, senior director and analyst at Gartner.
"Updates to patient health information, bank routing numbers and account information, as well as general personal data updates, should all be viewed with additional scrutiny," Reed advised. "General guidance is to update your information directly with your bank or insurance company." Users, he added, should never click or follow a link through email to input sensitive data.
Continuing to educate employees about phishing threats remains Golden's top suggestion to ward off phishing attacks, but better email filtering can be a viable option as well, considering the similarity in the underlying phishing techniques.
"Surges in COVID-19- and remote work-related domain registrations likely indicate plans to pursue credential phishing or attempts to host and distribute malware," Golden said. "Given the operational awareness of these familiar approaches, perhaps it will be easier for some organizations to identify threat behavior and be more vigilant in protecting their more critical assets."