ALERT: COVID-19 / Coronavirus-Related Ransomware and Phishing Attacks
As with other events that attract societal attention – whether it be an international sporting event like the Olympics or a natural disaster like the Australian bush fires - criminals often utilize the events to exploit consumers’ fears and, in turn, compromise the cybersecurity of businesses nationwide. With the advent of the Coronavirus, criminals have begun to take advantage of what consumers expect to receive via email to conduct phishing attacks. Criminals are also expected to take advantage of millions of vulnerable remote connections from employee home networks to their corporate networks.
According to Proofpoint Inc., a cybersecurity firm, the use of sophisticated Coronavirus-related “phishing” strategies has been on the rise since January, with new malicious email campaigns surfacing each day. These emails, which appear to come from legitimate organizations, contain content such as advice on combatting the Coronavirus, phony invoices for purchases of face masks and medical supplies, advertisements for products that allegedly treat the illness, and phony alerts from the World Health Organization (WHO) or Centers for Disease Control and Prevention (CDC). When the email recipients open these messages, they unknowingly release malware, which allows the attacker to gain access to their personal information and to compromise the security of their employers’ networks.
The recent emergence of Coronavirus-related “phishing” schemes demonstrates that businesses must remain vigilant. Employees and their employers are particularly vulnerable now, in light of the novel nature of the Coronavirus, the paucity of information concerning the illness, and the rapid and significant manner in which it is spreading. Individuals are thirsty for information and advice, and are eager to take any action necessary to protect themselves and their families.
Phishing attacks pose serious risks to the security of computer networks. As we have noted before, malicious attackers often target email accounts as a means to gain user credentials for access to a computer network. Compromised email accounts often serve as an attack vector to a much larger computer network compromise. Email account compromises also pose serious risks to sensitive information contained in the email accounts. An email account can be a treasure trove of sensitive data that a criminal can use for malicious purposes.
The following are examples of phishing attacks currently being used by criminals to cause email users to open a message and click on an attachment or a link. The criminals are attempting to take advantage of the urgency of the Coronavirus pandemic by using subject lines that suggest a high level of importance and bait the recipient. The following are the subject lines of several known phishing attacks:
- “Corona Virus Latest Updates;”
- “Cancel shipment due to corona virus;”
- “Corona Virus Map;”
- “Employee Notice Regarding Coronavirus;” and
- “Required Coronavirus Alert.”
The email messages contain either a malicious attachment or a link to a malicious website – both of which appear to be legitimate. Clicking on the attachment or the link may cause malicious software (malware) to be downloaded onto the device used to open the email message. The malicious attachments include .exe, .xlsm, and .docx formats. The malicious website may also direct the employee to log in to continue. The log in process will result in the theft of user credentials – the user name and password. One phishing campaign uses a website pretending to display the Johns Hopkins University live map of reported COVID-19 cases to infect visitors to the site with the information stealing Trojan AZORult.
The following are samples of the fraudulent messages and sites:
(Courtesy of Defense Counterintelligence and Security Agency).
As companies prepare for the potential implications that the Coronavirus outbreak will have upon their businesses and employees, they should include in their plans strategies for educating their employees on how to prevent Coronavirus-specific phishing attacks. The Federal Trade Commission (FTC) has issued the following tips to protect against Coronavirus-related cyberattacks:
- Be on the lookout for emails claiming to come from the CDC or WHO.
- Never click on emails that arrive from unknown sources.
- Ignore online offers for vaccinations, pills, lotions, teas, and other products that promise to treat or cure the Coronavirus.
- Examine requests for donations carefully and do not wire money.
In addition, the following broader measures will protect against phishing attacks:
- Be aware that malicious actors will always attempt to take advantage of a situation that may provide email users an additional reason or a sense of urgency to open an email message.
- Do not click on suspicious attachments or links.
- Deploy external message flagging, so that users will always have notice that a message is from an external source. Even if the source of the message is not disguised, the external message flagging may serve as a reminder to use extra caution.
- Deploy Domain-based Message Authentication, Reporting & Conformance (DMARC) on the domain of the organization so that emails attempting to spoof the actual domain are blocked from delivery.
- Deploy multi-factor authentication. In addition to requiring a user name and a password to access an email account, multi-factor authentication requires at least one additional piece of information to access the account. This requires authorized individuals to utilize both something they “know,” such as a user name and password, with something they “have,” such as a unique code sent to the authorized user’s smart phone, or something they “are,” such as a fingerprint or other biometric measurement, in order to gain access to the account. The concept of multi-factor authentication is to provide a secondary level of protection in order to validate online accounts beyond solely a username and password. Multi-factor authentication tools help prevent malicious actors from hijacking email accounts and using them for malicious purposes.
- Deploy audit logging. Note that in some email platforms, audit logging is not enabled by default, so users must actively enable it for added security. Log retention schedules should be extended to at least 90 days, and then archived for up to 12 months, if possible.
In responding to an email account compromise, the following should be done:
- Immediately disable any unauthorized connection.
- Immediately change the user password and increase the password complexity to at least 12 characters or more because the longer the password, assuming some complexity, the more difficult it is to compromise.
- Immediately deploy multi-factor authentication.
- Preserve evidence in the compromised account for forensics analysis.
As mentioned above, criminals are also expected to take advantage of millions of vulnerable remote connections from employee home networks to their corporate networks. If remote access to a network is necessary, remote users should always use multi-factor authentication. Without this protection, malicious actors can manipulate the Remote Desktop Protocol (RDP) which allows users to log in to a computer and remotely log in to a network. RDP is often used to allow system administrators to manage servers and workstations in remote locations. In the midst of the Coronavirus, it allows employees to log in remotely to their networks. Unfortunately, malicious actors often use “brute force” – password attacks – to compromise the use of RDP and gain unauthorized access to networks. Unless remote users have deployed multi-factor authentication, every use of RDP poses a substantial risk that the remote network may be compromised.
Don’t let the Coronavirus cause your network to become infected. Educate your employees and deploy multi-factor authentication!