Introduction - Cybercrime on the rise
In the wake of the COVID-19 pandemic situation, cybercrimes are on the surge. Over the past few months, we have been continuously witnessing increased amounts of wide varieties of cyber-attacks. Cybercriminals have shifted their target from individuals and small businesses to enterprises, government organizations, and health-care sectors. On average, IT companies are facing over 1000 attacks per day. Also, cyber criminals are adopting newer, more sophisticated, and more advanced modus operandi at an alarming pace turning the unstable social and economic situation created by COVID-19, to their advantage. A recent report by INTERPOL indicates a further increase in cyber-crimes in the near future. Of various types of attacks, spear-phishing campaigns/scams continue to remain quite common. Over 50% of the attacks are identified to be belonging to the spear-phishing category.
In this blog post, we have attempted to enlist a few of the popular COVID-19 inflicted cyber threats that were recently reported in the newspapers and cybersecurity websites. We urge the readers of this post to take note and employ the guidelines/preventive measures provided in the 'prevention is better than cure' section in your home/workplace, so that you may not fall victim to cyber-attacks.
COVID-19 inflicted cyberattacks
1. Spear Phishing - RAT, Trickbot, Microsoft
RAT - Remote Access Tool, is a genuine tool for providing troubleshooting and tech support. During the ongoing coronavirus pandemic, attackers are using malicious Excel (macro enabled) documents to persuade victims to execute RAT.
According to the researchers, this campaign started on May 12 and it has featured a hundred varieties of malicious Excel attachments so far. Hundreds of these Excel files contained highly obscure formulae and connected to the same URL to download the payload. Researches have been noticing a steady pattern in the use of malicious Excel 4.0 in malware campaigns under the theme of COVID-19.
These highly sophisticated emails claim to offer an update on the current pandemic situation and lure the victims to download the macro-enabled Excel worksheet. Upon opening, these files open with a security warning and display a graph depicting the coronavirus cases within the state. If the user reciprocates positively to the warning message, the macro initiates the download of RAT and executes it.
In another similar spear-phishing campaign, also under the theme of COVID-19, malicious emails claimed to offer a free COVID-19 test but actually spread Trickbot trojan. Even in this campaign, the email attachment used macro-enabled Excel with a malicious VBScript code hidden in its Alternate Data Stream (ADS). The VBScript code contained in the Excel would download the Trickbot trojan from a remote server onto the compromised machines.
In summary, although tools such as RAT and Excel are legitimate, they are known to be abused by the attackers to gain access and run system commands on compromised machines. The attackers take the ongoing situation to their advantage and lure less-intelligent victims to open malicious attachments.
2. Spear Phishing - beware of crooks in kin's clothing
This is another incident of cyber crooks taking advantage of the ongoing pandemic situation. In this case, the victims are the Indians who are currently residing in foreign countries. The cyber crooks are stealing the identities of Indians who are staying abroad and are getting in touch with their family members, requesting money from them by claiming to be in some sort of emergency.
The cyber crooks have used WhatsApp messenger to get in touch with the ID holders' family members. Also, they used ID holders' full names and photographs in order to gain the trust of their family members. After a couple of casual exchange of messages, they (crooks) persuade the victims to transfer some funds to their bank account for some urgent need. They further convince the victims by promising them to return the money by the next morning. The transfer of funds has taken place through UPI based apps.
3. Money Heist
Another article indicates a surge in cyber mishaps owing to coronavirus pandemic. According to the researchers, there has been a 238% spike in cyberattacks between February and the end of April. These are known to be Ransomware campaigns and are mostly targeted towards financial and health organizations.
According to a survey, about 80% of the organizations have experienced cyberattacks in the last 12 months. About 27% of these are targeted towards the financial and healthcare sectors. The attackers' prime focus is not only information theft, but also causing significant damage to the network. The common types of malware are identified as Emotet, Obfuse, CoinMiner, Tiggre, and Kryptic.
A report claimed that the attackers are continually improving their tactics and methods. And consequently, the attacks are turning out to be more and more sophisticated over time. The attackers have been gaining a good understanding of the target organization's internal policies. It is reported that they do so by scanning vulnerabilities in software and remote working tools.
Even though financial sectors are generally secure, they are experiencing a high degree of cyberattacks. Therefore, they are advised to be in regular touch with the law enforcement authorities in order to quickly respond to unpleasant cyber incidents.
4. Ransomware attacks targeting pharma healthcare sectors amid COVID-19
During the month of March, attackers attempted to make Hammersmith Medicines Research its target. Luckily, the company managed to seize the situation and escaped without paying any ransom. But, in another incident at the same time, a Pennsylvania based company - ExecuPharm was attacked by a Ransomware, in which employee credentials were compromised. Healthcare sectors continue to remain as promising targets for the attackers because generally they can be forced to pay up due to life and death urgency. This is how ruthless cybercriminals can be, looting money at the cost of helpless patients.
They begin by gaining access to the organization's network by exploiting the vulnerabilities in the IoT based equipment. Following that, they extract data from the compromised network. And finally, when the time ripe for the attackers, they launch the ransomware. Additionally, they have also launched sophisticated social engineering attacks by spoofing emails from WHO addresses.
Tracking Ransomware attacks has always been a challenging task. It is just not possible to identify the attackers simply by the tools or the type of ransomware used. Different groups tend to employ different strategies on different targets. Some of them may simply copy from the other. And furthermore, they keep switching between various infrastructures during the attack. All these aspects make it very difficult to trace the attackers.
In this connection, the organizations are advised to strengthen their monitoring of threats and vulnerabilities. Some of the other recommendations are as follows,
a. Changing passwords regularly
b. Identify and patch the vulnerabilities
c. Improve system monitoring capabilities
5. Fake vaccines for sale on the dark web
Researchers from Australia have spotted fraudsters selling fake COVID-19 vaccines on the dark web. Apparently, these vaccines have been identified to have been manufactured using the blood of patients who have recovered from the COVID-19. Researchers from Australian National University's Cybercrime Observatory had surfed the dark web for any medical supplies related to coronavirus. To their astonishment, they were able to find about 645 listings of 222 items from 110 different vendors spread across 12 sites. The net worth of all the goods was found to be $369,000.
While the doctors and scientists around the world are busy developing vaccines for COVID-19, these websites are falsely claiming to have got genuine vaccines at their disposal. Out of 645 items, about 6% of them claim to effective against the coronavirus. Some of the product listings are as follows,
COVID-19 cure vaccine. Keep quiet on this
COVID-19 antidote is here from China
Any victim who falls prey to these products will end up losing as much as $575 Australian dollars. One of the vaccines was actually identified to have been a source from China, the place where the deadly virus originated. The prime concerns of the researchers in this connection are as follows,
a. These fake products may cause the virus to spread furthermore for people may falsely believe they are immune to the virus
b. These fake medicines may alter the behavior of actual clinical procedures/tests
Researchers are happy to find out one dark web market, selling COVID-19 articles being banned for ethical reasons.
6. Opting for EMI moratorium?
Owing to coronavirus and lockdown, many people across the country are undergoing a financial crisis. In this regard, the government and RBI came out with various relief measures. One such measure by RBI was three months of relaxation on the EMIs and credit card dues.
Undoubtedly, it heaved a sigh of relief among the borrowers. But, it also caught the attention of fraudsters. Fraudsters have called customers asking for OTPs. Once they get hold of OTP, they drain all the money from their account immediately.
In order to create awareness among the customers, banks have enlisted some safety guidelines for their customers. They are as follows,
a. Do not share OTP to avail EMI deferment. EMI deferment do not require OTP
b. Disable auto-save, auto-complete features in your net banking/ mobile banking applications
c. Do not respond to phishing texts/emails
d. Beware of verification calls
e. Conduct regular account check-ups
7. Exploiting COVID-19 situation at Enterprises
Due to the outbreak of COVID-19, many companies are obligated to allow their employees to work from home, with the intention of ensuring business operations as usual. Cybercriminals across the globe have taken advantage of this development. And in this connection, they are coming up with a variety of attacks to gain access to corporate networks. For instance, they offer fake maps depicting the details of the infected users. Downloading such maps by the end-users then turns out to be a cause of security concern.
A large number of network attacks and vulnerability exploitation attempts have been observed lately. The use of automated scanners such as Nmap, accunetix, and masscanner's are common. Phishing emails linked to COVID-19, lockdown, WFH, products, and solutions, etc. have spiked up drastically. According to Pankit Desai, co-founder, and CEO of Squaretek, about 30 percent of the attacks are linked to the harvesting of credentials using malware such as SpyMax, Blackwater, in combination with phishing emails.
Panic causing situations are generally the tempting opportunities for the attackers. In this connection, the companies have laid down some guidelines to ensure security readiness whilst working from home. Some of them are as below,
a. Enabling multifactor authentication for the employees who login from home
b. Thorough understanding of who has access to what information. Proper segmentation of users is required
c. It is critical to use VPN or SDP. Infrastructure must be robust to accommodate large volumes of traffic
Statistics
According to a very recent report (Aug 2020) by INTERPOL, the distribution of various cyber threats is as depicted in the following graph,
Figure 1. Distribution of cyberthreats as identified by INTERPOL
Date wise distribution of various cyberthreats, as reported by WebARX, a popular web security company is as follows,
Table 1. Date wise distribution of various cyber threats as reported by WebARX.
View complete table on their website (link provided under references section)
Prevention is better than cure
As students of cybersecurity, we consider it our duty to spread awareness among our friends, relatives, and colleagues about the cyber threats surrounding COVID-19. It is always easier to stop something from happening in the first place than to repair the damage after it has happened. In this direction, we have enlisted a few points that we can adopt in our daily operations. They are as follows,
1. Make sure to update your PC and phone software regularly
2. Protect your PC with good anti-virus software. Generally, antivirus software costs you some money. But they are worth your investment
3. Purchase online goods and services from authorized sources like Amazon, Flipkart, etc. But, beware of fake websites. Pay attention to the site's URL.
4. Remember - Offers that look unbelievable are indeed unbelievable
5. Regularly backup your important data
6. Do not share sensitive information over the phone
7. Do not respond to unfamiliar emails. Also, do not download any attachment, or click on any link that you may receive in such an email
8. Make sure you have all the other browser tabs closed while net banking
9. Do not accept or respond to an unknown friend in social media platforms
Many other points pertaining to changing passwords, choosing a password, etc. are taken care of by the application developers nowadays. Although the points mentioned above are quite reasonable to adopt from a security standpoint, many people who are not so well versed in technology may not find it easy to incorporate some of them. For instance, my father is a 67-year old retired Govt. official. Ever since his retirement, he has been using WhatsApp, Facebook, YouTube, etc. quite extensively. Also, he always keeps himself updated about the news on cyber threats by reading newspapers. Nonetheless, he often finds it difficult to differentiate good links from malicious ones, and as such, he often consults me whenever he has to perform online transactions. Recently, he worked out a plan for himself. He got himself another bank account opened, just for transactions. He now maintains two bank accounts, one for depositing and the other for spending. The account that he uses to spend will always have a minimum balance. Whenever he would like to make a payment, he first transfers the required amount from his deposit account to the transaction account. With this approach, even in the worst case, he may end up losing some money rather than all of it. Not a bad idea after all! The substance here is that preventive measures need not always be technical. We can always have a reasonable workaround, depending upon an individual's exposure with respect to the current technology.
References
· Threatpost.com
· India times
· Cyware.com
· Cyware.com
· Infosec4tc.com
· India times
· India times
· Interpol.int
· Webarxsecurity.com
By
Prof. Sunitha R
Pradeep K C,
Ami Mehta
Comments