Phishing expeditions change their bait, but go after the same catch.
the cyberwire logo37 days ago

News for the cybersecurity community during the COVID-19 emergency: Thursday, April 23rd, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.

Phishing expeditions change their bait, but go after the same catch.

Government phishing.

Google's Threat Analysis Group (TAG) has a report on how nation-states are using COVID-19 as phishbait. TAG says it's tracked "over a dozen" government threat groups phishing with coronavirus lures. The goal of the attacks has been either delivery of malware packages or credential harvesting. Many of the targets were US Government employees. These were often baited with bogus offers of free fast food, presented as a generous gesture from various hospitality chains. These attempts were on the whole indiscriminate mass-mailed spam (interesting in part because of what they suggest about hostile intelligence services' views of what interests and motivates American civil servants—burgers and fries, mostly).

TAG doesn't offer any attribution of these phishing expeditions, but they do identify two threat groups by name, both of which are prospecting international health organizations, including WHO, the UN's World Health Organization. These are Charming Kitten, associated with Iran, and Packrat, a South American group whose sponsorship is less clear. Charming Kitten has been sending emails that spoof WHO as the sender; Packrat has been running bogus WHO pages.

Google doesn't see this trend as representing an increase in the amount of state-run operations. It's a shift in tactics and choice of bait, not a significant increase in operational tempo.

Criminal phishing.

Cyber criminals are showing a similar shift in tactics. According to Fifth Domain the FBI says it's received more than 3600 complaints about COVID-19-themed scams. Threatpost reports a study by Forcepoint in which the security company's researchers evaluated three months of coronavirus-related cybercrime. They determined that criminals in the aggregate have reached a peak of one-and-a-half-million malicious emails a day.

Palo Alto Networks' Unit 42 has been tracking this trend, and their findings are entirely consistent with what one would expect. "The traditional malice abusing coronavirus trends includes domains hosting malware, phishing sites, fraudulent sites, malvertising, cryptomining, and black hat Search Engine Optimization (SEO) for improving search rankings of unethical websites," their report says, adding, "Interestingly, although many webshops that use newly registered domains try to scam users, we detected an especially unethical cluster of domains capitalizing on users’ fear of coronavirus to further frighten them into buying their products. Moreover, we discovered a group of coronavirus-themed domains, which now serve parked pages with high-risk JavaScript that may at any time start redirecting users to malicious content."

The specific content of the come-ons also varies with news. As emergency assistance to businesses becomes available in many countries, criminals will bait their appeals with references to such government aid. IBM's X-Force has studied the ways in which criminals are exploiting small business awareness of, and concerns about, stimulus relief packages. Two of their findings strike us as particularly noteworthy:

  • "Over half (52%) of respondents said they would engage with an email related to their stimulus relief eligibility and nearly four in ten (39%) said they would engage with an email about COVID-19 testing near them. Nearly two thirds (64%) of respondents who are recently unemployed said they would be most likely to engage with an email related to their stimulus relief eligibility; employed respondents were more likely to say they would engage with an email about COVID-19 testing near them."
  • "Over a third (37%) of small business owners said they have received unsolicited COVID-19 related emails that they suspected were malicious spam – 12% more than general respondents (25%) claimed. 57% of small business owners expect to receive official information about COVID-19 via email. In fact, 54% of SMB owners said they received information by email."

So expect familiar crime dressed up in COVID-19 garb. The Washington Post has a useful summary of the back-and-forth between criminals and enterprise defenders, with some advice about resources available to help during the current state of emergency.

Pandemic disinformation, astroturfing, and political advocacy.

There's been a surge in the registration of domains related to a movement to reopen normal activity in the United States, KrebsOnSecurity reports. Some of this is normal political organization and activity (customary or not, it's viewed with suspicion in a Washington Post article), but a great deal of it appears to be astroturf, either politically motivated or mounted as a ploy for donations. There's also the possibility that some (not all) of the activity can be ascribed to foreign actors. We'll have more on this trend in tomorrow's coverage.

Facebook and Instagram have become sensitive to the effects that posts with large audiences can have, and will begin displaying more information about where, geographically, the accounts involved are located. Menlo Park blogged yesterday, "[W]e’re going a step further to provide the location of high-reach Facebook Pages and Instagram accounts on every post they share, so people have more information to help them gauge the reliability and authenticity of the content they see in their feeds. We’re piloting this feature in the US, starting specifically with Facebook Pages and Instagram accounts that are based outside the US but reach large audiences based primarily in the US." TechCrunch observes that Facebook hasn't specified exactly what it considers "large" or "high-reach" to be.

Governments continue experiments with technical aids to contact-tracing.

Singapore, Taiwan, and South Korea have all worked out contact-tracing technologies that appear to have shown success in containing the spread of COVID-19. They've gotten some positive notice on their attention to privacy, especially insofar as privacy is conceived in terms of measures to limit the possibility of government abuse, as ZDNet reports. But the very speed with which the applications were developed raises questions about whether they might be buggy with respect to unauthorized access or unintentional data exposure.

In the US, Senator Markey (Democrat of Massachusetts) has sent Vice President Pence a letter calling for a comprehensive approach to contact-tracing. Specifically, the Senator urges the Vice President to "to design and implement a comprehensive strategy for COVID-19 contact tracing in the United States." It should be "science-based," and incorporate these features:

  • "Integration with Comprehensive Public Health Strategy"
  • "Contact Tracing Workforce Surge"
  • "Voluntary Participation"
  • "Transparency"
  • "Data Minimization and Retention Limitations"
  • "Data Use Limitations"
  • "Data Security"
  • "Equity"
  • "Accountability and Recourse"

The Senator's letter explains each of these in brief detail. Some of them are old-school, like the "Contact Tracing Workforce Surge," which envisions a Federal Emergency Management Agency led effort that would organize public health organizations, first-responders, and volunteers who would provide the boots on the ground to track the infection manually. Any technology deployed would be an adjunct to such efforts: the participation of individuals would be voluntary and obtained on an opt-in basis.

Telework updates.

Zoom remains widely used even as some large organizations, especially governmental organizations, decide that it's too risky to entrust their data to the teleconferencing service. The Telegraph writes that the UK's National Health Service has asked doctors to steer clear of Zoom for their remote conferences with patients.

But Zoom has also continued to work on its security. It's pushing out version 5.0 this week, the Verge reports, and as the company promised, that update concentrates on security to the exclusion of other product enhancements. Zoom blogged yesterday that the new version would include both better network security, including a phased upgrade to the AES 256-bit GCM encryption (intended to be complete by May 30th) and data routing control (for users who are skittish about their data passing through Chinese hands, or at least through Chinese servers).

Users of Zoom will also see some new security features in their ordinary experience with the platform:

  • "Security icon: Zoom’s security features, which had previously been accessed throughout the meeting menus, are now grouped together and found by clicking the Security icon in the meeting menu bar on the host’s interface."
  • "Robust host controls: Hosts will be able to 'Report a User' to Zoom via the Security icon. They may also disable the ability for participants to rename themselves. For education customers, screen sharing now defaults to the host only."
  • "Waiting Room default-on: Waiting Room, an existing feature that allows a host to keep participants in individual virtual waiting rooms before they are admitted to a meeting, is now on by default for education, Basic, and single-license Pro accounts. All hosts may now also turn on the Waiting Room while their meeting is already in progress."
  • "Meeting password complexity and default-on: Meeting passwords, an existing Zoom feature, is now on by default for most customers, including all Basic, single-license Pro, and K-12 customers. For administered accounts, account admins now have the ability to define password complexity (such as length, alphanumeric, and special character requirements). Additionally, Zoom Phone admins may now adjust the length of the pin required for accessing voicemail."
  • "Cloud recording passwords: Passwords are now set by default to all those accessing cloud recordings aside from the meeting host and require a complex password. For administered accounts, account admins now have the ability to define password complexity."
  • "Secure account contact sharing: Zoom 5.0 will support a new data structure for larger organizations, allowing them to link contacts across multiple accounts so people can easily and securely search and find meetings, chat, and phone contacts."
  • "Dashboard enhancement: Admins on business, enterprise, and education plans can view how their meetings are connecting to Zoom data centers in their Zoom Dashboard. This includes any data centers connected to HTTP Tunnel servers, as well as Zoom Conference Room Connectors and gateways."
  • "Additional: Users may now opt to have their Zoom Chat notifications not show a snippet of their chat; new non-PMI meetings now have 11-digit IDs for added complexity; and during a meeting, the meeting ID and Invite option have been moved from the main Zoom interface to the Participants menu, making it harder for a user to accidentally share their meeting ID."

Corporate discounts and corporate cooperation.

HackerOne and Verizon Media are partnering in a virtual hackathon designed specifically to identify vulnerabilities in telework infrastructure and remote administration systems.

TWOSENSE.AI is offering four months' free use of its behavioral biometric continuous authentication system. It's designed to work in tandem with multifactor authentication to produce a more convenient approach to zero-trust.

And MSSPAlert has a good summary of the free or deeply discounted security tools and services the sector is offering during the state of emergency.