US Cyber Security Agency Warns of New COVID-19 Threats

On April 8 US Cybersecurity and infrastructure Security Agency (CISA) and UK National Cyber Security Center (NCSC) released a joint special advisory on new threats emerging as a result of COVID-19. Cybercriminals and Advanced Persistent Threat (APT) groups are using the pandemic for financial gain, specifically by deploying:

  • Phishing, using COVID-19 as the compelling reason for the email and immediate action
  • Registration of domain names related to COVID-19 that attract unsuspecting traffic
  • Attacks against remote access workers; these are more successful due to the hurried deployment of these distributed network infrastructures
  • Malware and ransomware distribution, as always

To prevent these new attack trajectories from compromising your organization we will outline the most important takeaways from the report, so that employees can take right-sized precautionary measures.

We will focus on various forms of phishing attacks in this article but also point you to additional resources for help with protecting remote workers.

Protecting against COVID-19 Cyber Attacks

Phishing, nefarious domain names, and remote-access attacks are not new. The last of these has only become more common because many organizations have been forced to deploy distributed work environments without proper planning. This has left many organizations “out in the open.”

Based on the latest notifications and Platte River Network’s own professional expertise we have outlined these extra precautions for work-from-home workers. Just a few extra safeguards can significantly reduce your network risk.

In addition, everyone operating a workstation within your endpoint security solution should be aware of the latest scams and ploys.

COVID-19 Domain Names: Watch where you click, no matter where

At this point most employees know about email phishing scams. The trick is to recognize a scam when it comes from a “trusted” source.

APT groups are always developing new ways to exploit trust, but in the midst of an unprecedented situation like the one in which we find ourselves, the opportunities magnify. No one knows what to expect in the form of communication from authorities. These unknowns become opportunities for social engineering attacks like phishing and domain hijacking.

Sophisticated attacks will use multiple touchpoints across email, but also SMS communications, false websites, and voice calling. UK NCSC reported one such attack launched from SMS:

Close inspection quickly reveals the falsification of this web address, as the real domain name is webredirect.org, not uk-covid-19. But you can see how someone who is unaware of SMS fraud and who does not know how to parse domain names might easily take this clickbait.

Clicking on the link led unsuspecting victims to the following website, designed to look like a gov.uk landing page.

Again, close inspection of the page would reveal significant differences from the real site. But many people are tricked by the professional level of detail, down to the “Tell us what you think of gov.uk.” Here is the official www.gov.uk site for comparison:

Most of these attack trajectories are imperfect, but they do not need to be. When delivered across a large group of people, odds stack up in their favor. US and UK Security agencies are currently tracking more than 2,500 suspicious domains that could potentially be used as part of a phishing ploy. Likely there are many more untracked sites as well.

If a business is the ultimate target, all it takes is one compromised account to begin the breach.

We always recommend that our clients keep their workforces refreshed with general practices, knowledge, and emotional habits that harden them against phishing attacks, no matter where they are. Some of these include:

  • Emotional awareness: If a message makes you feel a strong emotion, a sense of urgency, a feeling like time is running out, or instills a sense of panic, then make a habit of taking a step away and asking a real person for a second opinion
  • Double Triple-check authority: If a message claims to be sent from an authority, take extra care to check the message against previous communications. Don’t follow links in the initial message before you type in the institution’s real domain address and corroborate the message.
  • Requests for information: Be extra wary any time you are entering personal information or passwords. Make sure the domain address is an exact match.
  • Know how the authorities will contact you in case of an emergency: Many authorized agencies and institutions outline their communications protocol so that you will be able to recognize official messages easily.
  • Businesses can also help by publishing communications updates on their homepage, so that customers can know what to expect from them.

For hackers and APTs the game is to induce strong emotions and entice people outside their comfort zone. We can all thwart these attempts to steal information and incite panic by cultivating positive habits of defining trusted space, keeping contact with trusted persons and entities, and remaining vigilant about any changes in protocol or boundaries.

For more information about how to prepare your business against the latest Covid-19 tactics, email david@platteriver.com. We are happy to help your organization stay safe during these unprecedented times.