Phishing in the economic relief pond. Unaddressed bugs bite.
the cyberwire logo39 days ago

News for the cybersecurity community during the COVID-19 emergency: Tuesday, April 21st, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.

Phishing in the economic relief pond. Unaddressed bugs bite.

NCSC urges the public to report coronavirus-themed email scams.

The UK's National Cyber Security Centre (NCSC) is urging people to report the COVID-19 related scam emails they've received. The agency has established an online reporting portal to make the process simpler and more convenient. The NCSC has, according to ZDNet, taken down more than two-thousand online scams related to the pandemic, "including 471 fake online shops selling fraudulent coronavirus-related items, 555 malware distribution sites, 200 phishing sites and 832 advance-fee frauds."

Advance-fee frauds, it's worth recalling, are a venerable email scam, long famous as the "Nigerian prince scam." The versions presently circulating promise a large payment in exchange for a small but non-negligible set-up fee. The occasion of the offer is some bogus bit of nonsense about COVID-19 designed to render the mark willing to part with some cash in exchange for a big score down the road. It's not an investment scam where one might buy real estate in a non-existent country, a sure-thing penny stock being pumped and dumped, the Brooklyn Bridge, or shares in a heroic statue. Rather, the advance-fee scam presents itself as the first stage in a transaction with the victim. The scammers may say they need to move money and are willing to pay a service fee for the victim's assistance. They may simply say that grace has moved their hearts to generosity toward the victim, but of course even the operations of grace require the recipient to establish some financial infrastructure. It's of course a bad deal (and worse theology). The current run of advance fee scams play upon COVID-19 news. One might think no one would fall for them, but people do.

In any case, the NCSC, in partnership with the Home Office, the Cabinet Office, the Department for Digital, Culture, Media and Sport (DCMS, "the Ministry of Fun") and the City of London Police, has launched a 'Suspicious email reporting service.' You can use the NCSC's portal linked above, or you can forward the email to report@phishing.gov.uk.

ACSC engaged with pandemic-themed online fraud.

The Australian Cyber Security Centre's regular Threat update: COVID-19 malicious cyber activity outlines a set of problems similar to those seen in the UK and elsewhere. Since March 10th, ACSC has received roughly two reports a day of Australians losing money to coronavirus-themed online scams, and note that these are actual losses, not mere attempts. With their private-sector partners (including Google and Microsoft) ACSC has "disrupted" more than one-hundred-fifty COVID-19-themed websites that had been engaged in malicious activity.

They're observing these trends:

  • Spoofed communications that represent themselves as being from the Australian government (and in some cases as coming from specific officials).
  • Emails directing victims to sites designed to harvest credentials for future exploitation.
  • Emails carrying banking Trojans as their payload.
  • Scams using pandemic economic relief as the phishbait.
  • Smishing scams using news about COVID-19 testing or restrictions as their bait.
  • Business email compromise, designed to induce fraudulent wire transfers.
  • A variety of scams designed to take advantage of people working remotely. These include variations on the hoary old Microsoft and IT help desk wheezes.

Economic stimulus and business relief scams.

Governments themselves have been the victims of pandemic relief fraud (see yesterday's discussion of the campaign against the relief operations of the German Land of Nordrhein-Westfalen). But individuals and businesses are also being targeted. Chicago-based Keeper Security warns that US citizens should expect to see a wave of scams as the Federal Government makes emergency assistance available under the CARES Act.

Singapore is offering the Self-Employed Person Income Relief Scheme. Applications open on April 27th, but the National Trades Union Congress (NTUC) is already warning people that emails that appear to originate with them are in fact the work of scammers.

The UK's Coronavirus Job Retention Scheme is also being used as bait by criminals prospecting individual victims. Less than twenty-four hours after the program opened yesterday, ComputerWeekly reports, bogus emails sporting HM Revenue & Customs (HMRC) branding and claiming to be from HMRC chief executive Jim Harra were already hitting in-boxes. Demand for relief under the Scheme is expected to be heavy, Computing says, and that will lend urgency to the scams as well as tend to reduce the victims' skepticism and resistance.

Quantifying criminal interest in current events.

GreatHorn researchers have analyzed a representative sampling of 1.4 billion emails since January 1st, and they summarized their findings in an email:

  • "From April 1-11, more than one third (36.66%) of all COVID-related emails were malicious. Of all emails analyzed during the same period, 2.39% were COVID-related threats. 
  • "In comparison, COVID-related threats made up 36.36% of coronavirus-related emails and 1.5% of all email traffic during the first two weeks of March.  
  • "Since January 1, GreatHorn has identified 13,807,197 COVID-related threats—1.01% of all email analyzed
  • "When looking at the week-by-week aggregate over the last month, COVID-related threats were steadily increasing until the week of April 5-11, at which point there was a significant decrease (37.87%). 
  • "March 1-7 - 1,015,316
  • "March 8-14 - 2,066,636 
  • "March 15-21 - 2,322,254
  • "March 22-28 - 2,460,657
  • "March 29-April 4 - 2,683,864
  • "April 5-11 - 1,667,470" 

Kevin O’Brien, GreatHorn's CEO and co-founder, commented: "Cybercriminals often take advantage of major world events that capitalize on public attention. The COVID-19 pandemic represents a perfect storm for exploitation – fear, personal interest and safety, worldwide attention, disruptions to daily life and work habits, and unexpected changes to business practices and communication patterns. It is no surprise that we are seeing widespread attempts to harvest credentials, authorize fraudulent wire transfers, and deploy ransomware. To keep users safe, organizations should evaluate business policies related to high-risk events, such as wire transfers, and build mechanisms for in-the-moment education and context into email so that users can make informed decisions before interacting with suspicious emails."

Vulnerabilities gain prominence during the pandemic's stress.

The International Association of IT Asset Managers (IAITAM) reports that its concerns about unaddressed vulnerabilities biting enterprises during an emergency are being realized. They see four categories of trouble:

"1. Assets left unsecure: An intentional decision to make devices less secure to allow for work from home (WFH) use. One example would involve removing admin permissions so that employees can complete the task without administrator oversight. Another would be allowing the use of “unpatched” business computers that allow hackers to load malicious files with admin privileges. In some cases, companies with high-end virtual private networks (VPNs) pre-loaded on business computers are allowing people to work from home on personal devices either with no VPN or with a lower-end virtual private network that may be less hacker resistant.

"2. 'New' assets created: More and more reports are emerging of companies purchasing new devices or technology to account for employees working from home. In one case reported directly to IAITAM a national health care company ordered 9,000 new laptop computers from a major online company and gave its IT department less than a week to prep the new machines and deliver them to users, who had little or no time for training and other security-related instructions. The concern: The more corporate assets that you have, the higher risk of intrusion. Each asset becomes a doorway or entry point for a breach, particularly when it (or its user) are underprepared. IT Asset Managers help with this by providing the data necessary for corporate security teams to know what exists, where it exists, and what is on the device.

"3. Assets now unsecure in at-home environments: Many company devices were deployed into a WFH situation quickly, leaving little time to ensure that they would be secure via a virtual private network (VPN) or other means. Just last week, school districts in Oakland and Berkeley, California unwittingly became an accomplice in their own data breach by accidentally making Google Classroom documents public, which contained access codes and passwords for Zoom meetings, as well as student’s names and comments.

"4. Employees unwittingly inviting in the intrusion: Human error allows for mistakes and creates a vulnerability (i.e. clicking on phishing emails or downloading malware). Google reported last week that it is stopping 18 million coronavirus scam-related emails every day, many of them targeting cash strapped businesses looking for loans or other capital. An internal memo from NASA on April 6th revealed that increased cybersecurity attacks had been directed at their employees working remotely. These phishing attempts were disguised as appeals for help, disinformation campaigns or new information about COVID-19, to gain login credentials or install malicious software. This is a prime example of how an employee could unwittingly invite in an intrusion. IT Asset Managers are at the forefront of education and communication campaigns within organizations to help teach end users what they should and should not be doing."

IAITAM is in an I-told-you-so frame of mind: they issued a similar caution on March 18th, and that wasn't the first.

Remote proctoring.

ZDNet reports that students and universities find themselves in conflict over university plans to install remote monitoring tools on students' devices the better to detect academic dishonesty. The universities are concerned about cheating during exams administered online. The students resent the invasion of privacy, and some of them (not you, the student who's reading this, of course, but those other students, those bad students) no doubt resist proctoring that would make it harder to cheat, copy, plagiarize, etc. The university's concerns about cheating are reasonable, but so is students' irritation with the kind of dean-of-studentish hovering that would convert them into a bunch of cosseted mammothrepts. It's a classic apparent conflict of rights and duties. Discuss, and class dismissed.